Loading ...

File Server Audit Logging via Group Policy

Recently going through the HIPAA compliance standards and dealing with “accidentally” deleted items on a file share has lead to a need for a standard file server audit logging policy that can be deployed to all servers via Group Policy Object (GPO). Here is the summation of my research:

File Server Audit Logging Policy GPO

1. Create a GPO and name it File Server Audit Policy
2. Set the following settings to enable advanced features and disable shutdown:

[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\]
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings – Enabled
Audit: Shut down system immediately if unable to log security audits – Disabled

3. Move down the tree structure to the following and edit these various auditing settings:

[Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\]
Account Logon: Credential Validation – Success and Failure
Account Management: Computer Account Management – Success
Account Management: Other Account Management Events – Success and Failure
Account Management: Security Group Management – Success and Failure
Account Management: User Account Management – Success and Failure
Detailed Tracking: Process Creation – Success
Logon-Logoff: Logoff – Success
Logon-Logoff: Logon – Success and Failure
Logon-Logoff: Special Logon – Success
Object Access: File System – Success
Policy Change: Audit Policy Change – Success and Failure
Policy Change: Authentication Policy Change – Success
Privilege Use: Sensitive Privilege Use – Success and Failure
System: IPsec Driver – Success and Failure
System: Security State Change – Success and Failure
System: Security System Extension – Success and Failure
System: System Integrity – Success and Failure

4. Change the following Maximum Log Size (KB) settings according to http://support.microsoft.com/kb/957662:

[Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\]

5. Open the Properties of the shared folder needing Auditing, click on Security tab and then on the Advanced button
Folder Security Properties Page
6. Click on the Auditing tab, if there is UAC prompt then click Continue and then click on the Add button

Folder Advanced Security Settings
7. Click on Select Principal, search for the Everyone security group and then click on the OK button
8. Change the Type to All, click on Show advanced permissions, check the boxes next to “Delete subfolders and files” and “Delete” and then click on the OK button
File Server Audit Logging Entry
9. Put a check next to “Replace all child object auditing with inheritable auditing from this object then click on the OK button
If your company is using a Windows Server for network file access and need help getting the File Server Audit Logging setup property for HIPAA compliance, then contact us for assistance.

Posted in : Audit Logging, Compliance, Group Policy, HIPAA, Maintenance, Servers

Leave a Reply

Your email address will not be published. Required fields are marked *

Archives

Categories

Plant a Seed @ 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2023- Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

[contact-form-7 id="452" title="Free Network Evaluation"]
And God will generously provide all you need. Then you will always have everything you need and plenty left over to share with others. As the Scriptures say,
“They share freely and give generously to the poor. Their good deeds will be remembered forever.”
For God is the one who provides seed for the farmer and then bread to eat. In the same way, he will provide and increase your resources and then produce a great harvest of generosity in you. - 2 Corinthians 9:8-10