File server auditing is an essential process, and inattention can cost your organization heavily, both in terms of business impact, and governmental financial penalties.

Imagine this scenario: A professor at a university unscrupulously accesses several critical files that contain breakthrough research in the field of microelectronics. Using this purloined data, the professor launches a company of his own to deceitfully leverage these business secrets. A file server auditing solution would have shielded the university from the grave repercussions of this intellectual property theft.

Here are the five key components a file server auditing solution must monitor at all times to help secure your most sensitive data:

1. Current state of access permissions: It is imperative that you follow a policy of least privilege, and the Zero Trust security model when managing privileged access. Access permissions to shared files and folders should only be given to users who require them to perform their job. At any time, you should have the ability to verify if users have excess privileges, and revoke access if necessary.

2. Change in access permissions: In case any user’s access permission changes, you need to be instantly alerted. It might also be necessary for you to analyze past audit trails when performing a forensic analysis. This becomes especially important if a data breach has occurred, and the root cause of the breach needs to be investigated.

3. File and folder activities: There are several file and folder activities that you need to monitor. These can include, but are not limited to:

    • Files created

    • Files modified

    • Files deleted

    • Files moved

    • Files renamed

    • Files copied and pasted

    • Failed attempts to read a file

    • Failed attempts to write to a file

    • Failed attempts to delete files

4. Change in audit settings: In addition to monitoring file and folder accesses, and change in permissions, you should also monitor changes to audit settings, or the system access control list (SACL). The SACL specifies the types of activities that generate audit records. An attacker might try to hide their tracks by making changes to the SACL and, if successful, subsequent file and folder activities might not get logged. However, with effective file server auditing, this activity can also be tracked.

5. File integrity monitoring (FIM): While file server auditing involves monitoring accesses and changes to files and folders on a network share, FIM involves checking important operating system files, utility programs, and databases that can exist on domain controllers, member servers, or even workstations. FIM validates files by comparing the latest versions to trusted versions of these files; it then identifies unexpected and unauthorized changes to verify if the file has been modified. This is usually accomplished by monitoring a hash representation of the file.

As an IT security administrator, you need to ensure that every vulnerable loophole that attackers can exploit is plugged. Even if it takes you some time to implement these five points, it will be time well spent.