Detailed explanation of turning on the audit function in Windows to record file deletion operations

Problem description:

Some files on the Windows machine were abnormally deleted and packaged. Intrusion suspected. How to troubleshoot.

Problem Solution:

1. Configure Group Policy

Select "Run" from the Start menu to open "Group PolicyEditor ”

Navigate to [Computer Configuration]--[Windows Settings]--[Security Settings]--[AdvancedAuditPolicy Configuration]--[System Audit Policy]--[Object Access], double-click [Audit File System] on the right, check [Define these policy settings] and [Success] items and [Failure] items do not need to be checked.

2. Add audit directory

Right-click the folder that needs to be audited, select [Properties], and then switch to [ Security] tab, click the [Advanced] button, switch to the [Audit] tab in the new dialog box, add users and groups to be audited, and check and delete related items in [Audit Projects] . It is necessary to audit everyone's deletion actions of the folder and subfolders.

For example, the C:\tmp configuration in the test environment is as follows:

Right-click the directory C:\tmp and select [Security]->[Advanced], select [Audit], and then add, for the subject [everyone], review [Delete subfolders and files] in the advanced permissions, [Delete] 2 items

Additionally, to increase the size of the security log, in the Event viewer, right-click Security and set the log size to 120512KB

3. Test, delete C:\tmp\testfile.txt, and then find the record with event ID 4646 in the security log as follows, which shows that the administrator user performed the operation through explorer.exe.

The above is the detailed content of Detailed explanation of turning on the audit function in Windows to record file deletion operations. For more information, please follow other related articles on the PHP Chinese website!