How to Detect Who Tried to Modify a File or a Folder on Your Windows File Server

Native Auditing

1. Navigate to the required file share → Right-click it and select "Properties".
2. Go to the "Security" tab → Click the "Advanced" button → Switch to the "Auditing" tab → Click the "Add" button and define auditing:
   • Principal equals "Everyone"
   • Type equals "All"
   • Applies to: "This folder, subfolders and files".
3. Select the following "Advanced Permissions":
   • Traverse folder / execute file
   • List folder / read data
   • Create files /write data
   • Create folders / append data
   • Write attributes.
4. Run gpedit.msc → Go to the "Edit" menu.
5. Create a new policy → Edit → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
   • Audit object access → Define → Success and Failures
6. Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
   • Audit File System → Define → Success and Failures
   • Audit Handle Manipulation → Define → Success and Failures
7. Go to Event Log → Define:
   • Maximum security log size to 4gb
   • Retention method for security log to "Overwrite events as needed"
8. To link the new GPO to the OU with file servers, go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Select the GPO that you’ve created.
9. To force the group policy update, go to "Group Policy Management" → Right-click the defined OU → Сlick "Group Policy Update".
10. Open Event Viewer → Search the Security Windows Logs for the event ID 4656 with the "Audit Failed" keyword, the "File Server" or "Removable Storage" task category and with "Accesses: READ_CONTROL" and Access Reasons: "WriteData (or AddFile) Not granted" strings. "Subject: Security ID" will show you who tried to change a file.

Netwrix Auditor for Windows File Servers

• Run Netwrix Auditor → Navigate to “Search” → Click on “Advanced mode” if not selected → Set up the following filters:
  • Filter = “Data source”
    Operator = “Equals”
    Value = “File Servers”
  • Filter = “Action”
    Operator = “Equals”
    Value = “Modify (Failed Attempt)”
• Click the “Search” button and review who tried to modify files and folders on your file server.

To create an alert on failed attempts to modify a file or a folder, do the following:

• From the search results, navigate to “Tools” → Click “Create alert” → Specify the new alert’s name.
• Switch to the “Recipients” tab → Click "Add Recipient" → Specify the email address where you want the alert to be delivered.
• Click “Add” to save the alert.