Summary:
- Enable Event 4663 via Local Security Policy
- Configure File Access Audit Security
- Event 4663 Sample Source
Enable Event ID 4663 via Local Security Policy
Event 4663 controlled by the Audit Policy setting Audit object access. When you enable this setting you will get all the three file access audit events (4663, 4656 and 4658). If you want to get logged only 4663 event, you can do it by enable the sub category setting Audit File System under Advanced Audit Policy Configuration (But it will be available only from Window 7/2008 R2 and later versions).
Follow the below steps to configure Audit Policy to log event 4663:
1. Open the Local Security Policy by running the command secpol.msc.
2. Navigate to the node Audit Policy (Security Settings/Local Policies/Audit Policy). In right-hand side, select the setting Audit object access.
3. Double-click on Audit object access, and check the Audit options Success and Failure to monitor successful file accesses and access denied file accesses and click Apply button.
Note: In Windows 7/2008 R2 and later versions, you can enable sub category level setting Audit File System under Advanced Audit Policy Configuration (Security Settings/Advanced Audit Policy Configuration/Object Access/Audit File System).
Steps to Configure File Access Audit Security (SACL)
System Access Control Lists (SACL) determines file access events for the particular File or Folder should generated or not. So that, you should enable SACL for the File or Folder which you want monitor or track the access events.
Follow the below steps to enable File Access Audit Security:
1. Right-click on the Folder which you want to configure audit events, and click Properties.
2. Select Security tab, and click Advanced button.
3. Navigate to the tab Audit, and click Add button.
4. Select the account Everyone, and check Successful and Failed Audit options which are you want to audit, click the button OK, and click Apply.
Thanks,
Morgan
Software Developer
Thank you for the tutorial,
Could you please specify if we can read events that were logged before setting the System Access Control Lists (SACL)?
No. you should have already configured the audio policy and SACL to log this event.