Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Change Auditor for Windows File Servers 7.2 - User Guide

File System Protection wizard

The File System Protection wizard displays when you click Add or Edit on the File System Protection page. This wizard steps you through the process of creating a new file system protection template, identifying the files and/or folders to be included in the template.

* 
NOTE: You can also open the protection wizard from the event details pane. Simply open the Search Results tab, select an event, and click the Protect Object button.

The following table provides a description of the fields and controls in the File System Protection wizard:

 
* 
NOTE: A red flashing icon indicates that you have not yet entered the required information. Hovering your cursor over this icon displays a tool tip explaining what needs to be entered.
 
Table 3. File System Protection wizard
Create or modify a File System Protection Template page

Use the first page of the wizard to enter a name for the template and specify the file system path to be protected.

Template Name

Enter a descriptive name for the template being created.

Path

Enter or use the browse button to specify the file system path to be protected.

After entering or selecting the files system path to be protected, click the Add button to add it to the File System Path list.

NOTE: This must be a local path. Auditing and/or protecting network shares is not supported. To audit or protect those files/folders, an agent must be deployed on the share's hosting server.

Selecting the browse button displays the Browse For Folder dialog allowing you to browse for and select the file system path which is to be protected by Change Auditor.

File System Path list

The file system paths selected for protection are displayed in the list box located in the middle of the page. Use the buttons to the right of the Path field to add and remove file system paths.
Add - Click to move the entry in the Path text box to the File System Path list.
Remove - Select an entry in the File System Path list and click Remove to remove it.
Subfolders

By default, protection will include the subfolders in the selected file system path. However, if you want to exclude subfolders from protection, click the arrow control in the Subfolders cell and click No.

Protect

By default, the specified file system path will be protected. However, to exclude the selected file system path from protection, click the arrow control in the Protect cell and click No.

Applies To

By default, protection will be applied to both files and folders in the selected file system path. To protect just files, folders or shares, click the arrow control in the Applies To cell and select one of the following options:
Files
Folders
Files and Folders (default)
Shares
File Mask

If applicable, this cell displays the file mask, which is used to protect a group of files, as specified at the bottom of the page.

Protection Type

By default, protection will prevent ‘all’ operations from occurring. However, to protect against specific operations, click the arrow control in the Protection Type cell and select one or more of the following operations:
[All] (default)
Read
Write
Create
Delete
Rename
Move
Dacl Change
Owner Change
Sacl Change
Attribute Change
CAP Change
Classification Change
NOTE: File classifications are modified by a system process on behalf of a user; therefore, a system/machine account may not be captured for the ‘who’ for file classification changes. As a result, classification operations specified in a File System Protection template may not be affected by the ‘Allow/Deny’ accounts specified on the next page of the protection wizard.

File Mask

Use this field to optionally specify a file mask to protect a group of files. You can use any combination of ? or * wildcard characters.

Once you have specified a file mask, click Add to add it to the list at the bottom of the page and the File Masks cell in the File System Path list (middle of the page).

File Masks list

The list box at the bottom of the page lists the file masks specified for this protection template. Use the buttons to the right of the File Mask field to add and remove masks.
Add - Click to move the entry in the text box to the File Masks list.
Remove - Select an entry in the File Masks list and click Remove to remove it
(Optional) Select Accounts Allowed (Not allowed) to Access Protected Objects page

Use this page to optionally specify user and group accounts that are authorized to make changes to the specified protected objects.

Allow

The Allow option is selected by default indicating that the accounts selected on this page will be the only accounts allowed to make changes to the protected objects.

Use the Browse or Search page to select the user or group accounts.

Deny

Select the Deny option if you would like to allow all users and groups to change the protected objects EXCEPT for those selected on this page.

Use the Browse or Search page to select the user or group accounts.

 

Browse page

Displays a hierarchical view of the containers in your environment allowing you to locate and select the users or groups that will be allowed (not allowed) to change the protected objects.

Once you have selected an account, use Add to add it to the list at the bottom of the page.

Search page

Use the controls at the top of the Search page to search your environment to locate the users or groups that will be allowed (not allowed) to change the protected objects.

Once you have selected an account, use Add to add it to the list at the bottom of the page.

Options page

Use the Options page to modify the search options used to retrieve directory objects.

Override Account list

The list box across the bottom of the page displays the user and group accounts that are allowed (not allowed) to change the protected objects selected on the previous page of the wizard. Use the buttons located above this list box to add and remove accounts.
Add - Select an account in the Browse or Search page and click Add to add it to the Override Account list.
Remove - Select an account in the Override Account list and click Remove to remove it.
(Optional) Schedule when protection is enabled

 

You can either select to have the protection always run or have it run only during specific times.

To enable the protection only during specific times, select the Protection is scheduled option, and define when it should be enabled (hour blocks on a weekly basis).The times selected are the local agent time where the template is applied.

NOTE: If you have denied specific users or groups the ability to change the protected objects and you have enabled a protection schedule, those users or groups will be denied access ONLY during this time. Anytime outside of when the schedule is set to enabled, these denied accounts WILL be able to access the protected object.

When the schedule is disabled, ALL options are disabled with it, including any denied access to the specified users.

The scheduling options override all other protection settings.

(Optional) Enable or disable protection for specific location

Control when the protection is enabled based on the location. Location refers to the computer that is attempting to access the resource that is protected. Select from the following options:
Protect access from all locations: Protection is always enabled regardless of the location.
Protect access only from select locations: Protection is only enabled for the locations specified in the list box.
Allow access only from select locations: Protection is disabled for the select locations. Enabled everywhere else.
Protect access from all unknown locations: All file system requests from locations that cannot be determined by the agent will be protected.
NOTE: If you have denied specific users or groups access to protected objects, but you have specified locations that CAN access the protected object, the denied user or group WILL be able to access the protected objects from these locations.

The location options override all other protection settings.

File System Events

The following events can be selected for auditing from the Events tab on the File System Auditing wizard. The events listed on the Events tab is based on the file/folder specified in the Audit Path and the coverage specified in the Scope cell.

File Events
Failed file access (NTFS permissions)
Failed file access (Change Auditor Protection)
File access rights changed
File attribute changed
File auditing changed
File central access policy changed (Windows Server 2012)
File classification changed (Windows Server 2012)
File created
File deleted
File last write changed
File moved
File opened
* 
NOTE: This event is not available when This object and all child objects is selected in the Scope cell.
File ownership changed
File renamed
 
Folder Events
Failed folder access (NTFS permissions)
Failed folder access (Change Auditor Protection)
Failed share access (NTFS permissions)
* 
NOTE: The Failed share access (NTFS) event monitors changes made to a share’s properties (such as share permissions and comments). It does NOT monitor failed access to a share from a remote computer. So if a user tries to read or change a share’s property, the event will be triggered.

The Failed share access (Change Auditor Protection) event works similarly. Once you have the share protected, only attempts to change a share's property will generate the 'failed share access' event; not attempts to access the share itself.
Failed share access (Change Auditor Protection)
Folder access rights changed
Folder attribute changed
Folder auditing changed
Folder central access policy changed (Windows Server 2012)
Folder classification changed (Windows Server 2012)
Folder created
Folder deleted
Folder moved
Folder opened
* 
NOTE: This event is not available when This object and all child objects is selected in the Scope cell.
Folder ownership changed
Folder renamed
Junction point created
Junction point deleted
Local share added
Local share folder path changed
Local share permissions changed
Local share removed
* 
NOTE: The following File System events are not listed on the Events page of the File System Auditing wizard because they are always captured when you have applied a Change Auditor for Windows File Servers license:
Shadow Copy created
Shadow Copy deleted
Shadow Copy rolled back
Transaction Status changed

File/Folder Inclusion and Exclusion Examples

This appendix provides sample entries for the Inclusions and Exclusions tabs on the auditing wizard. It does not list every combination available, but provides a variety of examples to help you understand how to use the wildcard characters allowed on these two tabs.

The Inclusions and Exclusions tabs only appear when the Folder or All Drives option is selected in the Audit Path field and the Scope includes child objects. Use these two tabs as described below:
Inclusions tab - enter a file mask to specify what is to be audited.
Exclusions tab - optionally enter a file mask (or path) to specify subfolders and files in the selected audit path that are to be excluded from auditing.

Inclusions tab

You must enter a file mask on the Inclusions tab to specify what is to be audited in the selected audit path. Use the following characters to specify a file mask on the Inclusions tab:
Fixed characters such as letters, numbers and other characters that are allowed in file names.
An asterisk (*) wildcard character to substitute zero or more characters.
Question mark (?) wildcard character to substitute a single character.
* 
NOTE: For file system auditing, the slash characters (\) and double asterisks (**) are not allowed in file masks; therefore, to include a specific folder (or share), use the Audit Path field at the top of the page to specify the folder (or share) to be audited and enter an * on the Inclusions tab.
Examples:

The following table provides some examples of file masks that can be used on the Inclusions tab of the auditing wizard. Note that <String> in this table may contain any of the file mask characters described above (i.e., fixed characters, * or ?).

Table 4. Inclusion examples
What to include in audit:
Inclusion syntax/examples:

Include all files located anywhere in the audit path.

NOTE: This is the most commonly used file mask.

Inclusion Syntax: *

Include all files with a specific file name regardless of its file extension.

Inclusion Syntax: <FileName>.*

Example: Name.*

Includes:
Name.txt
Name.docx
Name.pdf

Include all files with a specific file extension.

Inclusion Syntax: <FileNameString>.<Ext>

Example 1: *.tmp

Includes:
Files with a file extension of .tmp.

Name.tmp
Testing.tmp

Example 2: ???*.doc

Includes:
Files whose name contains at least three characters with a file extension of .doc.

MyTest.doc
Testing123.doc
123.doc

Example 3: ???test.doc

Includes:
Files whose name contains seven characters and ends in ‘test’ with a file extension of .doc.

ABCtest.doc
123test.doc

Include all files with a specific file name that has a file extension of a specific length (number of characters).

Inclusion Syntax: <FileName>.<ExtString>

Example 1: Name.???

Includes:
Name.txt
Name.tmp
Name.pdf

Example 2: Name.????

Includes:
Name.docx
Name.xlsx

Include all files that contain a specific string in their name and/or file extension.

Inclusion Syntax: <FileNameString>.<ExtString>

Example: *name.??p

Includes:
Files whose name end with ‘name’ with a three character file extension that ends in the letter ‘p’.

Myname.tmp
Name.bmp

 

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation