How to Detect Who Read a File on 

Windows File Servers

Native Auditing vs. Netwrix Auditor for Windows File Servers
{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows File Servers
Native Auditing
Netwrix Auditor for Windows File Servers
Steps
  1. Navigate to the required file share → Right-click it and select "Properties".
  2. Switch to the "Security" tab → Click the "Advanced" button → Go to the "Auditing" tab → Click the "Add" button.
  3. Configure the following settings: Principal: "Everyone"; Type: "All"; Applies to: "This folder, subfolders and files"; Advanced Permissions: "List folder / read data" → Click "OK" three times.
  4. Log on to your domain controller and run gpmc.msc → Create a new GPO and define its name → Go to “Computer Policy” → Click “Computer Configuration” → Choose “Windows Settings” → Click “Security Settings” and enable the following settings:
    • Local Policies → Audit Policy → Audit object access → Define → Success and Failures
    • Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit File System → Define → Success and Failures
    • Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit Handle Manipulation → Define → Success and Failures
  5. Go to Event Log → Define and specify the following settings:
    • Maximum security log size: 4GB
    • Retention method for security log: “Overwrite events as needed”
  6. Link the new GPO to an OU with file servers as follows: Go to "Group Policy Management" → Right-click the OU → Click "Link an Existing GPO" → Select the GPO that you created.
  7. Force a Group Policy update on the selected OU: Go to "Group Policy Management" → Right-click the OU → Сlick "Group Policy Update".
  8. Open Event Viewer → Search the Security Windows Logs for event ID 4663 with the string "Accesses: ReadData (or ListDirectory)" and review who read or attempted to read files on your file servers.
Detect Who Read a FIle with Native Auditing
  1. To find access auditing events, run Netwrix Auditor → Navigate to “Search” → Click “Advanced mode” if not selected → Set up the following filters:
    • Filter = “Data source”
      Operator = “Equals”
      Value = “File Servers”
       
    • Filter = “Action”
      Operator = “Equals”
      Value = “Read”
  2. Click the “Search” button and review who read or attempted to read files on your file servers.
Detect Who Read a FIle with Netwrix Auditor
Learn more about Netwrix Auditor for Windows File Servers

Secure Data on Your Windows File Servers with Regular Review of Access Attempts

Sometimes users are granted access rights that enable them to read files containing sensitive data they shouldn’t see. For example, an office manager might mistakenly have permissions to read documents of the Accounting department, which could lead to a security breach. In addition, users sometimes try to read files containing sensitive data they don’t have access to. Making sure to log file access attempts and regularly reviewing those events helps you keep access to sensitive information under control, thereby minimizing the risk of data exfiltration. 

In order to track object access events, you need to enable specific Group Policy settings in Active Directory or local security policy settings on your Windows file server; also, don’t forget to apply NTFS access auditing settings to check that file auditing is properly recorded in the security event log. But once you enable native file access logging, be ready to be swamped by the enormous number of read events generated by your users. To hone in on the events that matter, you need to either configure native filtering settings, which are not very informative and advanced filtering requires deep XML query understanding, or use a third-party solution.

Netwrix Auditor for Windows File Servers is a proven solution that delivers complete visibility into what’s happening on your Windows file servers, including both successful and failed read attempts. The subscription option enables IT pros to get file access auditing reports via email or on their file shares automatically, so they can keep easily an eye on suspicious reads and access attempts, as well as get detailed information about all changes and modified files. With the Interactive Search feature, they can easily investigate any particular file access log. These capabilities help IT administrators stay in control of sensitive data, thwart information security attacks and ensure compliance with regulatory standards. 

Related How-tos
How to Detect File Changes in a Shared Folder How to Detect Who Changed a File or Folder Owner How to Detect Who Tried to Modify a File or a Folder on Your Windows File Server How to Track Who Deleted a File from Your Windows File Servers How to Export Folder Permissions to Excel or CSV File How to Get an NTFS Permissions Report