Product: IS Decisions FileAudit 5.0
Product Homepage: click here
Free Trial: click here
There’s hardly a day that goes by that I don’t hear about an organization who has suffered a security breach and an attacker has accessed their sensitive information. Targeted attacks are becoming more frequent, and more successful, and this poses a serious challenge for security administrators everywhere. An increasingly mobile workforce and an explosion of devices and platforms that users require access from further complicate the situation. Defense tactics are rapidly changing, and many organizations are now operating on an “assumed breach” model, whereby they assume they have been compromised and focus their energy and efforts toward identifying malicious activity on their network. In fact, one report I read recently stated that the mean time to discovery of unauthorized access was, on average, more than 200 days. Assuming you’ve been breached and trying to detect it is probably a good stance to take.
The real challenge here is that attackers are highly effective at gaining authorized access to resources through the use of intricate phishing campaigns and social engineering. For security administrators, it can be a daunting task trying to identify suspicious activity and data access when the adversary has valid, authorized credentials. It then becomes critical to monitor all access to sensitive data. Not only unauthorized, but authorized as well. Attackers are after data, and for that they must access it before they can extract it. Visibility is key here, and the operating system’s native tools are inefficient and don’t scale well. Here, FileAudit 5 can help tremendously.
Overview of FileAudit 5
FileAudit 5 is a software platform that greatly simplifies file and folder access auditing on Windows server. It is agentless and leverages existing Windows platform technologies to create a real-time monitoring and alerting solution for sensitive data. In addition to tracking authorized and unauthorized access for monitored folders and files, FileAudit provides intelligent alerting and granular control over monitoring with a modern, intuitive management console.
New features in FileAudit 5 include support for monitoring mass file access, which is excellent for detecting potential data exfiltration after a successful breach. It also includes the ability to now track the source IP address of folder and file requests made remotely, which will help tremendously during a forensic investigation. In addition, alerts can be configured to monitor folders and files being accessed at irregular times, which is another common sign of potentially malicious activity.
Installing FileAudit 5 could not be any easier. Simply copy the installation file to the server or workstation and run the setup. To install all of the components on the same system, select the Complete setup type. If you wish to install only specific FileAudit components, choose Custom.
For demonstration purposes I’ve chosen to install all FileAudit components on the same system. However, it might be desirable (and in my personal view, recommended) that only the FileAudit service be installed on a server machine, and the management console and documentation be installed on a management workstation. Due to some limitations with the current product, this process is not without some unique challenges. More on this later.
Once the installation has completed successfully, choose the option to launch the FileAudit management console.
Before configuring files to be audited there’s a bit of housekeeping that needs to be accomplished first. In the management console in the Tools column select Settings, choose Accounts, and then click Add an account. Provide the domain, username, and password for an account that has administrative privileges on the target servers you wish to audit. You can specify multiple accounts, if necessary.
If you wish to use e-mail alerting (highly recommended!), select E-mail settings and provide the details for your SMTP server.
Now we’re ready to set up file auditing! In the management console select Audit configuration in the Audit column. You can choose to add folders or specific files, as required. To add a folder to audit, click Add a folder. Enter the UNC path of the folder and press Enter. The FileAudit Path Wizard opens and will indicate any additional configuration required to enabled auditing on this path.
Click Next and choose Automatically enable the object access audit on the server. Optionally you can choose to configure object access audit manually, but for the best experience it is strongly recommended that you let FileAudit make the required changes. Continue through the next few screens to configure NTFS settings, licensing, and to enable monitoring. Once complete the folder will be configured for auditing and monitoring. Once complete you can repeat these steps as necessary to monitor any additional folders or files.
Monitoring File Access
Once auditing has been configured, you can use the FileAudit management console to view file access events using the File Access Viewer, which can be found in the Access column. Simply enter a monitored path and press enter to see all access events.
File access events can also be filtered based on numerous parameters by clicking on the search icon next to the path. You can filter events based on time of day, status (allowed or denied), the type of access (read, write, delete, etc.) and specific user.
File auditing itself is quite important, but an alerting mechanism is essential for prompt notification of specific file access events. With FileAudit 5 you can configure alerts for single access events or mass access events. Single access events let you know important details about access to individual paths or specific files, while mass events alert an administrator to files being accessed en masse. A common use case for alerting might be for sensitive data access. For example, for general file access it might not be required to be alerted for each access, but for certain files it might be desirable.
To create a file access alert, choose Alerts in the management console and then click Add under Single access. Provide a name for the alert, and then choose the access status (granted, denied, or broth), the type of access (read, write, delete, etc.), and then provide the domain and user information. Optionally you can filter on the source of the access, that being an IP address for remote access or a process for local access.
Next choose Monitored paths and add the file or folder you wish to be alerted to access on. Here I will create an alert to access a file called readme.txt on monitored path \\app1\data.
Select Hours and specify the time frame with which to trigger an alert on this event.
Choose Recipients and then click Add a recipient to send the alert e-mail to.
Finally, select Mail message and review the e-mail template used for this alert. Make any necessary adjustments and click Save.
Alert on Mass File Access
One compelling new feature in FileAudit 5 is the Mass Access alert feature. You can be alerted when a large number of files are being accessed by creating an alert and choosing Mass Access. Click Add and specify the parameters as you did for previous folder and file alerts. For mass access alerts you can specify the frequency thresholds, time period, and latency period to trigger the mass access alert.
The usefulness of any product, at least to me, hinges largely on the quantity and quality of documentation for the product. Here, FileAudit really shines. The FileAudit web site includes plenty of information about installing, configuring, and managing FileAudit. There you will find a getting started guide, a link to the online knowledge base, product briefs, and lots of intuitive short videos demonstrating configuration and use of the product.
Drawbacks and Limitations
The only challenge I faced working with FileAudit was configuring it in a client/server model. For example, if you wish to install the FileAudit service on a dedicated server and perform management remotely, there are a few manual steps you have to take to make this work. First off, installing the FileAudit service only (without the console) works fine, but remote access is not allowed by default. To enable remote access to the server without having access to the console requires editing a configuration file manually to enable it. Also, the installer does not create the required firewall rule to allow remote access. Again, this will have be configured manually. Once these things have been configured you can install the console on a management workstation and manage the FileAudit server remotely. GUI-less servers are the way of the future, and in fact Windows Server 2016 does not include an option to install a GUI until after the server is installed. Hopefully this limitation will be addressed in future versions of FileAudit.
FileAudit 5.0 greatly simplifies the critically important job of monitoring folder and file access on Windows servers. With today’s threat landscape and the persistence of highly incentivized attackers, monitoring both authorized and unauthorized access to sensitive data is essential to early detection of a data breach. With the limited usefulness of native Windows tools, FileAudit greatly enhances the folder and file monitoring process by providing real-time monitoring and alerting, alerting on mass file access (a strong indication of a successful breach), tracking source IP address information for data access remotely, and providing granular time and date alerting parameters to monitor folder and file access at unusual or unexpected times.
Installing and configuring FileAudit 5 is a snap, and there’s plenty of excellent documentation on their web site to help you get up to speed quickly. You’ll be enjoying the fruits of enhanced visibility in no time at all!
I was amazed at how quick and simple it was to get FileAudit 5 up and running in my test environment. In a matter of minutes I had full visibility in to all folder and file access, authorized or unauthorized. The user interface is modern and intuitive, and the ease with which you can configure auditing and alerts was amazing. The only issues I had were related to installation, and at that it wasn’t really a show stopper. I would highly recommend this product, and give it the WindowSecurity.com Gold Award with rating 4.5 out of 5.