Auditing Permission Changes on Windows File Servers and NAS Filers

Webinar Registration

File servers and NAS filers remain the biggest concentration of unstructured data in enterprises and it's growing all the time. Unstructured data is saturated with all kinds of sensitive and confidential data. File access control is managed by groups in AD and permission on the folders that hold those files.

Let's assume for the moment that all your group memberships are accurate and that your folder structure and permissions limit access so just the right people have just the right access to just the right information. That would be awesome – for an instant in time. Nothing's static. Group memberships are fairly easy to monitor with the Windows security log which I'm covering in another webinar this month.

But file permissions are another matter. Let's start out simple and say all your files are on Windows file servers – no NAS filers. So, enable File Access auditing at the server level and then enable auditing of the “Change permission” permission (sounds redundant but it isn't) on all the shared folders on the file server. Well you will start getting events – a lot of them. Probably more than you want.

In this webinar I'll

  • look at how to do file permission auditing on NTFS.
  • show you the good, bad and ugly and discuss ways around creating the flood of events that occurs when you change permissions on a single folder high up in the directory tree. And I'll explain the risks that go with that method.
  • demonstrate how to enable the proper audit policy at the server level via Group Policy and then how to enable auditing for only permission changes on selected folders. This will prevent an even more massive stream of events being generated every time a user simply browses a folder with Windows Explorer.
  • I'll also explain how to figure out what the permissions were before and after the change. It's a matter of decoding SDDL like this D:PARAI(A;;FA;;;SY)(A;;FA;;;BA). Looks fun, eh?

OK, so auditing permission changes is hard enough on Windows file servers but how many different filer appliances do you have? And each one of them does things a little differently. That's where our top sponsor, Dell Software, comes in. Brian Hymer will briefly show you how Change Auditor provides the easiest-to-understand file auditing solution I've seen. And it transparently supports Windows file servers as well as NetApp, FluidFS and EMC all with a single, normalized Who, What, When, Where, Why format.

Don’t miss this real training for free ™ Security Log Secrets event. Please register now.

First Name:   
Last Name:   
Work Email:  
Job Title:  
Zip/Postal Code:  
How many employees in your organization?:
Organization Type :

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources