How Best to Configure Audit Detailed File Share

By Ben Balkin

August 21st, 2024

When enabled, the Windows security setting audit detailed file share keeps a detailed record of every time someone tries to access a shared file or folder on either the user’s computer or network.

Normal vs detailed audit

When a regular audit is configured, it logs only a singular event – which user or client is establishing a connection to which shared file or folder.

A detailed audit records additional information about who is accessing the shared files and folders. This information includes what actions are taken inside the folders such as reads, writes and deleting of information and when it was done. Additionally, more information about the individual users is recorded such as permissions and whether or not access to the files was granted or not.

Why use detailed auditing

The additional information collected when conducting detailed audits can help administrators see exactly what is happening with shared resources. For some industries auditing is required by regulations in order to be compliant.

The logs generated through auditing can be converted to reports, which can then be used to help identify patterns of access and spot anomalies as well as potential security threats.

The additional information collected using detailed auditing enhances the company’s security posture, by allowing administrators to monitor, review, and respond to file share activities more thoroughly. The detailed information can also help when troubleshooting problems, having more information to understand and solve problems.

Things to consider when auditing

Auditing detailed file share is a powerful tool that can provide detailed valuable information when it comes to identifying and investigating intrusion attempts and security incidents, however it comes at a cost.

If not configured correctly, not enough, too much information, or the wrong information may be recorded. When not set severe enough, not enough information or the wrong information recorded, resulting in wasted time and will not provide any additional help during a security incident.

When not set severe enough, too much information can be logged, resulting in heavy logs, which can consume system resources and potentially slow the performance of the system. On top of this, vital information can be buried within the bloated logs and patterns hidden further hindering and overwhelming administrators.

To establish the recommended configuration via GP, set the following UI path to include Failure:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Detailed File Share

Event volume

High on file servers.

High on domain controllers because of SYSVOL network access required by Group Policy.

Low on member servers and workstations.

Computer Type	General Success	General Failure	Stronger Success	Stronger Failure	Comments
Domain Controller	No	Yes	No	Yes	Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share. We recommend monitoring Failure access attempts: the volume shouldn’t be high. You will be able to see who wasn’t able to get access to a file or folder on a network share on a computer.
Member Server	IF	Yes	IF	Yes	IF - If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client's IP address. The volume of Failure events for member servers shouldn’t be high (if they aren’t File Servers). With Failure auditing, you can see who can’t access a file or folder on a network share on this computer.
Workstation	IF	Yes	IF	Yes	IF - If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client's IP address. The volume of Failure events for workstations shouldn’t be high. With Failure auditing, you can see who can’t access a file or folder on a network share on this computer.

Example of recorded event

Event ID	Event message
5145	A network share object was checked to see whether the client can be granted desired access.

Default value

No Auditing.

Recommended setting

The recommended state for this setting is to include: Failure

Correctly configuring audit detailed file share settings is a valuable security practice. The setting strengthens the overall security posture by providing a detailed record of file access attempts. This can help identify potential vulnerabilities and investigate security incidents more effectively.

Another way to help effectively secure a system is by using server hardening. Server hardening improves security by reducing vulnerabilities and attack surfaces. It involves applying patches, disabling unnecessary services, and enforcing strict access controls. Benefits include enhanced protection against cyber threats, improved data security, and increased system stability, ensuring a more robust and reliable IT infrastructure.

Experience a personalized demo

See how automated policy enforcement enables continuous compliance

Free Demo

Watch Video

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

How Best to Configure Audit Detailed File Share

Normal vs detailed audit

Why use detailed auditing