What is Audit Detailed File Share
When enabled, the Windows security setting audit detailed file share keeps a detailed record of every time someone tries to access a shared file or folder on either the user’s computer or network.
Normal vs detailed audit
When a regular audit is configured, it logs only a singular event – which user or client is establishing a connection to which shared file or folder.
A detailed audit records additional information about who is accessing the shared files and folders. This information includes what actions are taken inside the folders such as reads, writes and deleting of information and when it was done. Additionally, more information about the individual users is recorded such as permissions and whether or not access to the files was granted or not.
Why use detailed auditing
The additional information collected when conducting detailed audits can help administrators see exactly what is happening with shared resources. For some industries auditing is required by regulations in order to be compliant.
The logs generated through auditing can be converted to reports, which can then be used to help identify patterns of access and spot anomalies as well as potential security threats.
The additional information collected using detailed auditing enhances the company’s security posture, by allowing administrators to monitor, review, and respond to file share activities more thoroughly. The detailed information can also help when troubleshooting problems, having more information to understand and solve problems.
Things to consider when auditing
Auditing detailed file share is a powerful tool that can provide detailed valuable information when it comes to identifying and investigating intrusion attempts and security incidents, however it comes at a cost.
If not configured correctly, not enough, too much information, or the wrong information may be recorded. When not set severe enough, not enough information or the wrong information recorded, resulting in wasted time and will not provide any additional help during a security incident.
When not set severe enough, too much information can be logged, resulting in heavy logs, which can consume system resources and potentially slow the performance of the system. On top of this, vital information can be buried within the bloated logs and patterns hidden further hindering and overwhelming administrators.
How to change audit detailed file share settings
To establish the recommended configuration via GP, set the following UI path to include Failure:
Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Detailed File Share |
Event volume
- High on file servers.
- High on domain controllers because of SYSVOL network access required by Group Policy.
- Low on member servers and workstations.
Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to high volume of events, especially for SYSVOL share.
We recommend monitoring Failure access attempts: the volume shouldn’t be high. You will be able to see who wasn’t able to get access to a file or folder on a network share on a computer. |
Member Server | IF | Yes | IF | Yes | IF - If a server has shared network folders that typically get many access requests (File Server, for example), the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client's IP address.
The volume of Failure events for member servers shouldn’t be high (if they aren’t File Servers). With Failure auditing, you can see who can’t access a file or folder on a network share on this computer. |
Workstation | IF | Yes | IF | Yes | IF - If a workstation has shared network folders that typically get many access requests, the volume of events might be high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the client's IP address.
The volume of Failure events for workstations shouldn’t be high. With Failure auditing, you can see who can’t access a file or folder on a network share on this computer. |
Example of recorded event
Event ID | Event message |
5145 | A network share object was checked to see whether the client can be granted desired access. |
Default value
No Auditing.
Recommended setting
The recommended state for this setting is to include: Failure
Best practices for audit detailed file share settings
Correctly configuring audit detailed file share settings is a valuable security practice. The setting strengthens the overall security posture by providing a detailed record of file access attempts. This can help identify potential vulnerabilities and investigate security incidents more effectively.
Another way to help effectively secure a system is by using server hardening. Server hardening improves security by reducing vulnerabilities and attack surfaces. It involves applying patches, disabling unnecessary services, and enforcing strict access controls. Benefits include enhanced protection against cyber threats, improved data security, and increased system stability, ensuring a more robust and reliable IT infrastructure.