Is there a way to create a log that records any activity when someone (including network Admin) accesses or at least tries to access a shared folder or drive on your computer? It would be nice to be able to log all the activity that takes places with Shared folders and any possible Remote Desktop connection that takes place without my knowledge.
This is possible using Windows 7 built-in Group Policy Editor, included in Seven Professional, Ultimate and Enterprise editions. There are also several third party alternatives, for instance ShareAlarmPro.
Here's how to audit network access:That's it. To read audit log, open Event Viewer by typing Event Viewer to Start menu's search field or Run dialog window and hit Enter. Go to Windows Logs > Security
- Open Group Policy Editor by typing gpedit.msc to Start menu's search field or Run dialog window and hit Enter
.- Go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies Audit Policy, double click to open Audit Object Access
.- Check both options (Success and Failure) under Audit these objects, click OK
.- Close Group Policy Editor
.- Open the Properties of a shared folder you want to audit, choose Security tab, click Advanced
.- Choose Audit tab, click Continue
.- Click Add, click Locations to choose from which location you want to audit, write the computer name and name of a user or group you want to audit, for instance PC-3\Administrators or XPPro-upstairs\Kari. Click Check names to "spellcheck", to check validity of your input
.- Click OK to close Select User or Group dialog, click OK to close Advanced Security Settings, click OK to close Folder Properties
Any further questions, don't hesitate to ask.
Kari
EDIT: I thought this is an important enough issue to make a tutorial. Please post all possible questions directly to the tutorial thread to keep it concentrated in a place. Tutorial is here: Audit (log) access to shared folders
Last edited by Kari; 08 Nov 2010 at 06:01.
Thanks for getting back to me Kari, I really do appreciate it!
When I go to the Properties of the shared folder I want to audit I get the following error...."This has been shared for administrative purposes. The share permissions and file security cannot be set." Are there any workarounds to this problem? I have Admin network access, so maybe you can point me in the right direction as to where I should look to correct this problem?
Up to this point whenever I log into Windows I basically go into the default Shares and select Stop Sharing. I’ve assumed this has kept out anybody who wants to access my computer but I can’t be too sure.
I'm not sure but could this be so simple that you answered your own question? If share service is stopped, you can not set permissions.
I don’t think I’ve stopped the Shared Service, just the default drives that pop up every time the machine is rebooted. Can the Sharing Service be stopped? If so, where?
To stop sharing:
Of course you have to do this for every enabled NIC, for instance if you have both LAN and WiFi connected at the same time, you have to stop sharing in both of them.
I misread your post, I tought you were talking about this feature. Anyway, logically thinking there could be something in this procedure of yours, first stop sharing by turning it manually off folder by folder, then when you try to change global sharing or security settings there is nothing to share i.e. nothing to change.
Kari
And simply by turning off the File and Print Sharing in the Properties, this eliminates someone connecting to your computer via Shared Folder or Remote Desktop?
Here's what mean says. Any work arounds or things I can disable in the Group Policy to change this setting?
Quote
