How to Audit File System Access on Windows Server 2012 R2

How to Audit File System Access on Windows Server 2012 R2

File system auditing on Windows Server 2012 R2 creates a Security event log entry every time a specified file, folder, or registry key is accessed by a user or process. When properly configured, file system auditing provides forensic evidence for data breach investigations, satisfies compliance requirements for access logging in frameworks like HIPAA, PCI DSS, and SOX, and enables detection of unauthorized access to sensitive data in near real-time. This guide covers configuring audit policies, setting System Access Control Lists (SACLs) on sensitive directories, filtering the resulting events, and archiving audit logs.

Prerequisites

• Local Administrator access or Domain Admin for GPO deployment
• Identified sensitive data directories that require access auditing
• Understanding that enabling file system auditing on high-traffic directories generates significant event volume—size your Security log appropriately
• A log management or SIEM solution to archive and analyze the audit events

Step 1: Enable the Object Access Audit Policy

File system auditing only generates events if the Object Access audit policy is enabled at the policy level AND the specific file/folder has auditing configured in its SACL. Both must be configured:

# Enable file system auditing subcategory (recommended over basic audit policy)
auditpol /set /subcategory:"File System" /success:enable /failure:enable

# Verify
auditpol /get /subcategory:"File System"

# Also enable handle manipulation (captures when a file handle is opened)
auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable

# Enable removable storage auditing separately if needed
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable

Or configure via Group Policy: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit File System — Success and Failure.

Step 2: Configure SACLs on Sensitive Directories

The SACL (System Access Control List) on a file or folder determines which operations are audited. Configure SACLs via Windows Explorer or PowerShell:

# Configure SACL on a sensitive directory using icacls
# Audit all access by Everyone on D:SensitiveData:
icacls "D:SensitiveData" /audit:Everyone:(OI)(CI)(F)
# (OI) = Object Inherit, (CI) = Container Inherit, (F) = Full Control (audit all operations)

# For read-only auditing (audit reads but not writes):
icacls "D:SensitiveData" /audit:Everyone:(OI)(CI)(R)

# Via PowerShell using .NET ACL APIs:
$folder = "D:SensitiveData"
$acl = Get-Acl $folder

# Create audit rule: audit all access by Everyone, success and failure
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule(
    "Everyone",
    [System.Security.AccessControl.FileSystemRights]::FullControl,
    [System.Security.AccessControl.InheritanceFlags]::ContainerInherit,
    [System.Security.AccessControl.PropagationFlags]::None,
    [System.Security.AccessControl.AuditFlags]::Success -bor [System.Security.AccessControl.AuditFlags]::Failure
)

$acl.AddAuditRule($auditRule)
Set-Acl -Path $folder -AclObject $acl

Write-Host "SACL configured on $folder"

Step 3: Configure Targeted Auditing for High-Value Files

For specific high-value files (password databases, cryptographic keys, configuration files with credentials), configure more targeted auditing:

# Audit specific sensitive files with granular rules

$sensitiveFiles = @(
    "D:AppConfigdatabase.config",
    "D:AppKeysapi.key",
    "C:inetpubwwwrootweb.config"
)

foreach ($file in $sensitiveFiles) {
    if (Test-Path $file) {
        $acl = Get-Acl $file

        # Audit all accesses (success and failure) by all users
        $auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule(
            "Everyone",
            [System.Security.AccessControl.FileSystemRights]::ReadData -bor
            [System.Security.AccessControl.FileSystemRights]::WriteData -bor
            [System.Security.AccessControl.FileSystemRights]::Delete,
            [System.Security.AccessControl.InheritanceFlags]::None,
            [System.Security.AccessControl.PropagationFlags]::None,
            [System.Security.AccessControl.AuditFlags]::Success -bor [System.Security.AccessControl.AuditFlags]::Failure
        )

        $acl.AddAuditRule($auditRule)
        Set-Acl -Path $file -AclObject $acl
        Write-Host "SACL configured on: $file"
    }
}

Step 4: Verify SACLs Are Applied

# Verify SACL on a folder
$acl = Get-Acl "D:SensitiveData" -Audit
$acl.Audit | Format-Table -AutoSize

# Use icacls to display SACL
icacls "D:SensitiveData"

# Alternative: use the Windows Security dialog
# Right-click folder → Properties → Security → Advanced → Auditing tab

Step 5: Increase Security Log Size

File system auditing generates substantial event volume on busy file servers. Increase the Security log before enabling auditing:

# Set Security log to 512 MB with auto-overwrite
wevtutil sl Security /ms:536870912 /rt:true /ab:false

# Verify
wevtutil gl Security

# For very busy file servers, consider increasing to 1 GB or more
wevtutil sl Security /ms:1073741824

Step 6: Query File System Audit Events

Understand the key event IDs generated by file system auditing:

• Event 4656 — A handle to an object was requested (file/folder opened)
• Event 4658 — The handle to an object was closed
• Event 4660 — An object was deleted
• Event 4663 — An attempt was made to access an object (the access type is logged)

# Query recent file access events for a specific directory
Get-WinEvent -LogName Security -FilterXPath `
    "*[System[EventID=4663] and EventData[Data[@Name='ObjectName'] and Data[contains(., 'SensitiveData')]]]" `
    -MaxEvents 100 | Select-Object TimeCreated, Message | Format-List

# Find all delete operations on audited files (AccessMask 0x10000 = DELETE)
Get-WinEvent -LogName Security -FilterXPath `
    "*[System[EventID=4660]]" -MaxEvents 50 |
    Select-Object TimeCreated, Message

# Find all access by a specific user
Get-WinEvent -LogName Security -FilterXPath `
    "*[System[EventID=4663] and EventData[Data[@Name='SubjectUserName']='suspicioususer']]" `
    -MaxEvents 50 | Select-Object TimeCreated, Message

Step 7: Create Audit Reports

# Generate a report of all file accesses in the last 24 hours
$startTime = (Get-Date).AddHours(-24)
$events = Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4663 and TimeCreated[@SystemTime >= '$($startTime.ToUniversalTime().ToString("o"))']]]" -ErrorAction SilentlyContinue

$report = $events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $eventData = $xml.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        UserName = ($eventData | Where-Object { $_.Name -eq "SubjectUserName" }).'#text'
        ObjectName = ($eventData | Where-Object { $_.Name -eq "ObjectName" }).'#text'
        AccessMask = ($eventData | Where-Object { $_.Name -eq "AccessMask" }).'#text'
        ProcessName = ($eventData | Where-Object { $_.Name -eq "ProcessName" }).'#text'
    }
}

$report | Export-Csv "C:AuditReportsFileAccess-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host "Report saved with $($report.Count) events"

Step 8: Configure Log Archival

# Schedule nightly Security log archival to a network share
$archiveScript = @'
$date = Get-Date -Format "yyyyMMdd"
$archivePath = "\LOGSERVERSecurityLogs$env:COMPUTERNAME"
if (-not (Test-Path $archivePath)) { New-Item $archivePath -ItemType Directory }
wevtutil epl Security "$archivePathSecurity-$date.evtx"
Write-Host "Security log archived to $archivePathSecurity-$date.evtx"
'@

$archiveScript | Out-File "C:ScriptsArchive-SecurityLog.ps1"

# Create scheduled task for nightly archival at 11:30 PM
$trigger = New-ScheduledTaskTrigger -Daily -At 23:30
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-NonInteractive -File C:ScriptsArchive-SecurityLog.ps1"
$settings = New-ScheduledTaskSettingsSet -StartWhenAvailable
Register-ScheduledTask -TaskName "Archive-SecurityLog" -Trigger $trigger -Action $action -Settings $settings -RunLevel Highest -User "SYSTEM"

Summary

File system auditing on Windows Server 2012 R2 creates a verifiable audit trail of who accessed, modified, or deleted files in sensitive directories. By enabling the File System audit subcategory, configuring SACLs on targeted high-value directories and files, increasing the Security log size to accommodate the event volume, querying events for unauthorized access patterns, and archiving logs nightly to a secure location, you have implemented a compliance-grade file access audit capability. Integrate these events with a SIEM solution for real-time alerting on suspicious access patterns such as mass file deletions or bulk access by non-service accounts outside business hours.