Exportieren (0) Drucken
Alle erweitern

Monitor the Resource Attributes on Files and Folders

Letzte Aktualisierung: August 2012

Betrifft: Windows 8, Windows Server 2012

This topic describes how to monitor changes to the resource attributes on files. If your organization has a carefully thought out authorization configuration for resources, changes to these resource attributes can create potential security risks. Examples would be:

  • Changing files that have been marked as high business value to low business value.

  • Changing the Retention attribute of files that have been marked for retention.

  • Changing the Department attribute of files that are marked as belonging to a particular department.

This section describes how to use security auditing to monitor attempts to change these settings.

The following procedure describes how to configure monitoring of changes to resource attributes on files and folders.

To monitor changes to resource attributes on files and folders, you must have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see Dynamic Access Control: Scenario Overview.

  1. Sign in to your domain controller with domain administrator credentials.

  2. In Server Manager, point to Tools, and then click Group Policy Management.

  3. In the console tree, right-click the flexible access Group Policy Object, and then click Edit.

  4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy Configuration, double-click Policy Change, and then double-click Audit Authorization Policy Change.

  5. Select the Configure the following audit events check box, select the Success and Failure check boxes, and then click OK.

The following procedure can be used to verify that changes to resource attributes on files are being monitored.

  1. Use administrator credentials to sign in to the server that hosts the resource you want to monitor. Press the Windows key+R, and then type cmd to open a Command Prompt window.

    If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  2. Type gpupdate /force, and press ENTER.

  3. Attempt to change resource properties on one or more files and folders.

  4. In Server Manager, click Tools, and then click Event Viewer.

  5. Expand Windows Logs, and then click Security.

  6. Depending on which resource attributes you attempt to change, you should look for the following events:

    • Event 4911 tracks changes to file attributes.

    • Event 4913 tracks changes to central access policies.

    Key information to look for includes the name and account domain of the principal attempting to change the resource attribute, the object that the principal is attempting to modify, and information about the changes that are being attempted.

Fanden Sie dies hilfreich?
(1500 verbleibende Zeichen)
Vielen Dank für Ihr Feedback.


© 2015 Microsoft