How to Monitor Folder Permission Changes

Procmon or File System Auditing

Procmon

Using Procmon, you want to set filters for the following:

  1. Operation: filter for SetSecurityFile (use the “is” condition). This will show you any event in which an ACL is modified on a file or directory.
  2. Path: Set this to the path to your temp folder. If your path is c:\path\to\temp, enter that. Again use the “is” condition, however you can use the “begins with” condition if you want to see ACL changes to sub folders.

If this needs to be long-running, you most likely want to enable the “Drop Filtered Events” option on the Tools menu.

The benefits of using Procmon are that it is simple to download and run with little preconfiguration at the expense of needing to keep it running at all times.

File System Auditing

To use auditing, you’ll need to do the following:

  1. In the local policy (or applicable GPO) of the computer, enable Success audits via one of the following:
    • Computer Configuration | Policies | Windows Settings | Security Settings | Local Policies | Audit Policy | Audit Object Access
    • Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | Object Access | Audit File System
  2. Enable auditing on your directory by right-clicking on the directory in Windows Explorer and selecting Properties | Security | Advanced | Auditing | Edit... | Add.... Next, enter Everyone as the security principal to audit. Last, check the “Successful” box for “Change permissions”.
  3. In the Security event log, look for event 4663 or 4670.

Thanks to: http://superuser.com/users/119164/charleswj81

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s