how to tell if a file/folder has been accessed?

[sman26]

I am running Server 2003 with AD. It is also acting as a file server. How can I tell if someone is accessing a file or folder they are not suppose to be. I know I can lock users to certain areas with NTFS and Share permissions but say permissions were wide open and I had a folder named "RESEARCH" on the File Server. Is this something I would do through a GPO? If so which GPO would I use and would I be sent a log file if they tried to open or copy the RESEARCH folder?
Still learning.
Thank you.

 

[Davetoo]

Why would you not simply use the tools you have to lock down the folder only to those that are allowed access?

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[sman26]

Okay...say the folders are locked down and I want to know if someone has been trying to access the folder but couldn't. How do I set that up?

 

[Davetoo]

Turn up your security logging to show access denied.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[sman26]

Davetoo,

Please direct where I need to go and how to set up security logging.

 

[Davetoo]

Google is a great tool,

http://www.google.com/search?source...q=setting+up+security+log+windows+2003+server

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[itsp1965]

On top of setting the local/group policy for auditing object access, right click on your folder->select Properties->Security->Click on the Advanced Button->Click on the Auditing Tab->From there you can select what types of access should be audited for a particular folder/file

 

[sman26]

Thanks itsp1965...it's nice to get some help.

1) Your first part "on top of setting the local/group policy for auditing object access"
I will be using Group Policy Mgmt console on server 2003. Where in that can i choose to set up auditing of an object?


2) On this same server then this is the file server where a folder is located I'm trying to tell if someone has tried to access the data. I did as you said and right clicked on the folder->select Properties->Security->Click on the Advanced Button->Click on the Auditing Tab-> is this where I can ADD things like "audit the folder to see if it has been clicked on but access denied or folder clicked on and was able to get in, etc?"

 

[Davetoo]

see...it's better to teach them to fish rather than give them fish...

I'll let you feed this one itsp1965.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

 

[cpjust]

On z/OS mainframes, the RACF security database can be setup in Warn mode which logs unauthorized access attempts but doesn't block them (to use when first implementing new security settings, but you're not 100% sure who currently needs access to what). Is there a similar concept in Windows?

 

[itsp1965]

Sman, in this case I am going to side with Davetoo. I have given you the basic overview of what needs to be done, please do a little research. If you don't know where the auditing of object access resides, look through the options in GPMC it should be fairly obvious

As for the statement
I did as you said and right clicked on the folder->select Properties->Security->Click on the Advanced Button->Click on the Auditing Tab-> is this where I can ADD things like "audit the folder to see if it has been clicked on but access denied or folder clicked on and was able to get in, etc?"

This is where you set what needs to be audited. Take a look at the settings and choose what you need audited and for who