Monday, March 28, 2011

cHECK oUT Microsoft’s Audit Object Access Policy for Forensic Evidence!

Let's say client XYZ maintains sensitive budget information within a select folder on one particular Windows fileserver. When originally created, the folder was restricted to specific AD users. At some point, everyone was granted access to the folder. Is there any available trail of activity in Windows to tell who accessed what and when?!?!

YES (if it's turned on)... !!!!!

I learned today that Microsoft’s audit object access policy handles auditing access to all objects outside AD. It is disabled by default, but IF enabled you can audit access to almost any kind of Windows object including files, folders, registry keys, printers, and services.

Pretty cool. I see this as a useful source of information for many investigations so I thought I would share.

If it's not turned on, I believe enabling Audit Object Access either within GPO or the local server policy should do the trick. Please note that depending on how many files/folders you have this auditing, disk space may be an issue. You really need a SIEM to go alongside this to parse and alert on anomalies if you want to use this as a true real-time investigate tool.