3

Is there a way to monitor all read and write operations on a directory and its files in SBS 2011 (Windows Server 2008 R2)?

codewario
  • 548
  • 3
  • 16
  • 36

2 Answers2

3

The SysInternals Process Monitor tool is able to log all disk access.

Getting any useful information out of this requires that you know what you're be looking for, though. The raw access log is somewhat of a firehose. :)

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • I'm about to check it out in a few minutes, but will it allow me to specify a directory to watch? – codewario Jul 06 '11 at 17:41
  • It's been a while since I've used it, but I belive you can set filters on the log, so you'd be able to filter out the results to just what you're looking for. – EEAA Jul 06 '11 at 17:43
  • Played around with the filter, now it seems to be showing me exactly what I need it to. Anyone who gets in this folder now is toast :) – codewario Jul 06 '11 at 17:48
3

You can also use the built-in Access Auditing group policy settings on Server 2008 ( http://technet.microsoft.com/en-us/library/dd772630(WS.10).aspx ).

In the Group Policy editor, go to Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policies - Local Group Policy Object | Object Access and enable Audit File System events (Success and Failure).

Then browse to the folder you want to monitor with Windows Explorer, Properties - Security - Advanced - Auditing and add Everyone \ Full to monitor all access.

Any attempt to access the specified folder will result in Security Event Log messsages like this:

An attempt was made to access an object.

Subject:
    Security ID:    YOURDOMAIN\USERID
    Account Name:   USERID
    Account Domain: YOURDOMAIN
    Logon ID:       0x5057c

Object:
    Object Server:  Security
    Object Type:    File
    Object Name:    C:\temp\share
    Handle ID:  0xbf8

Process Information:
    Process ID: 0x12fc
    Process Name:   C:\Windows\explorer.exe

Access Request Information:
    Accesses:   READ_CONTROL

    Access Mask:    0x20000

You could go as far as automating alerts by attaching a task to the specific event in the Event Viewer to send an email, launch a program, etc when the event occurs.

Dave
  • 241
  • 2
  • 3
  • This seems like a much more robust solution, especially since Process Monitor won't show anything if the server reboots for any reason. – codewario Jul 07 '11 at 13:45