Windows Fileserver Audit - PA-FileSight - Netwrix

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

Stril

Member
Sep 26, 2017
191
12
18
41
Hi!

I have constantly problems, that users are moving or deleting files (to which they NEED write access) on Windows fileserver.

Now, I want a solution to audit these actions and to assign tasks like:
- Mail-alert
- Add user to group "Deny-All"
- etc.

I also want to assign actions to "mass-deletions".


What I found are three software-solutions:
- PA-File-Sight
- Netwrix (unknown pricing)
- ISDesisions FileAudit

Do you user one of these or other solutions? Can you recommend me anything?

Thank you
Stril
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,394
511
113
As far as commercial products go I've only ever used Varonis myself, but no matter how badly behaved your users are I'd be very wary of automatically adding users into a deny ACL. If you do it by group, it generally won't take effect until a new session is started, and if you do it by manipulating ACLs directly... well, you'll want to make sure that process works reliably 100% of the time.

Outside of the commercial products, we eventually wrote a powershell script that pulled event traces directly from the event log and processed them into a deletion report; this was faster to run on an ad-hoc basis than futzing about waiting for varonis to play catch-up with the file servers. It'd also catch the moves/accidetnal drag'n'drop "deletions". From a quick search to refresh my memory this is EvID 4660 and 4663 in the security log. We scheduled this every 6hrs on each of our main file servers so that 2nd and 3rd line would have a near-instant access to a list of the files that had been recently deleted instead of having to kick incident tickets over to the forensic team, saving a crapton of escalation and reducing the time taken to pin blame fix the issue considerably.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Do they need only to create and modify files and no delete ? You can control this via ACL’s maybe if it’s a smaller small environment.

Otherwise, snapshots for fast recovery and user training.
 

Stril

Member
Sep 26, 2017
191
12
18
41
Thank you for your answer. There is one thing, I do not agree with:
If I add a user to a group, the permissions to shares are changing without reboot/new session.
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,394
511
113
Never seen that behaviour myself unless you go to some fairly esoteric measures to flush and refresh the TGT (which requires client-side admin privs so won't be usable by >90% of most users); otherwise windows will only enumerate group membership on login.