Skip to main content

Configure audit policies on NTFS security-style files and directories

Contributors netapp-ahibbard netapp-thomi

Before you can audit file and directory operations, you must configure audit policies on the files and directories for which you want to collect audit information. This is in addition to setting up and enabling the audit configuration. You can configure NTFS audit policies by using the Windows Security tab or by using the ONTAP CLI.

Configuring NTFS audit policies using the Windows Security tab

You can configure NTFS audit policies on files and directories by using the Windows Security tab in the Windows Properties window. This is the same method used when configuring audit policies on data residing on a Windows client, which enables you to use the same GUI interface that you are accustomed to using.

What you'll need

Auditing must be configured on the storage virtual machine (SVM) that contains the data to which you are applying system access control lists (SACLs).

About this task

Configuring NTFS audit policies is done by adding entries to NTFS SACLs that are associated with an NTFS security descriptor. The security descriptor is then applied to NTFS files and directories. These tasks are automatically handled by the Windows GUI. The security descriptor can contain discretionary access control lists (DACLs) for applying file and folder access permissions, SACLs for file and folder auditing, or both SACLs and DACLs.

To set NTFS audit policies using the Windows Security tab, complete the following steps on a Windows host:

Steps
  1. From the Tools menu in Windows Explorer, select Map network drive.

  2. Complete the Map Network Drive box:

    1. Select a Drive letter.

    2. In the Folder box, type the SMB server name that contains the share, holding the data you want to audit and the name of the share.

      You can specify the IP address of the data interface for the SMB server instead of the SMB server name.

      If your SMB server name is “SMB_SERVER” and your share is named “share1”, you should enter \\SMB_SERVER\share1.

    3. Click Finish.

    The drive you selected is mounted and ready with the Windows Explorer window displaying files and folders contained within the share.

  3. Select the file or directory for which you want to enable auditing access.

  4. Right-click the file or directory, and then select Properties.

  5. Select the Security tab.

  6. Click Advanced.

  7. Select the Auditing tab.

  8. Perform the desired actions:

    If you want to…​.

    Do the following

    Set up auditing for a new user or group

    1. Click Add.

    2. In the Enter the object name to select box, type the name of the user or group that you want to add.

    3. Click OK.

    Remove auditing from a user or group

    1. In the Enter the object name to select box, select the user or group that you want to remove.

    2. Click Remove.

    3. Click OK.

    4. Skip the rest of this procedure.

    Change auditing for a user or group

    1. In the Enter the object name to select box, select the user or group that you want to change.

    2. Click Edit.

    3. Click OK.

    If you are setting up auditing on a user or group or changing auditing on an existing user or group, the Auditing Entry for <object> box opens.

  9. In the Apply to box, select how you want to apply this auditing entry.

    You can select one of the following:

    • This folder, subfolders and files

    • This folder and subfolders

    • This folder only

    • This folder and files

    • Subfolders and files only

    • Subfolders only

    • Files only If you are setting up auditing on a single file, the Apply to box is not active. The Apply to box setting defaults to This object only.

    Note

    Because auditing takes SVM resources, select only the minimal level that provides the auditing events that meet your security requirements.

  10. In the Access box, select what you want audited and whether you want to audit successful events, failure events, or both.

    • To audit successful events, select the Success box.

    • To audit failure events, select the Failure box.

    Select only the actions that you need to monitor to meet your security requirements. For more information about these auditable events, see your Windows documentation. You can audit the following events:

    • Full control

    • Traverse folder / execute file

    • List folder / read data

    • Read attributes

    • Read extended attributes

    • Create files / write data

    • Create folders / append data

    • Write attributes

    • Write extended attributes

    • Delete subfolders and files

    • Delete

    • Read permissions

    • Change permissions

    • Take ownership

  11. If you do not want the auditing setting to propagate to subsequent files and folders of the original container, select the Apply these auditing entries to objects and/or containers within this container only box.

  12. Click Apply.

  13. After you finish adding, removing, or editing auditing entries, click OK.

    The Auditing Entry for <object> box closes.

  14. In the Auditing box, select the inheritance settings for this folder.

    Select only the minimal level that provides the auditing events that meet your security requirements. You can choose one of the following:

    • Select the Include inheritable auditing entries from this object's parent box.

    • Select the Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object box.

    • Select both boxes.

    • Select neither box. If you are setting SACLs on a single file, the Replace all existing inheritable auditing entries on all descendants with inheritable auditing entries from this object box is not present in the Auditing box.

  15. Click OK.

    The Auditing box closes.

Configure NTFS audit policies using the ONTAP CLI

You can configure audit policies on files and folders using the ONTAP CLI. This enables you to configure NTFS audit policies without needing to connect to the data using an SMB share on a Windows client.

You can configure NTFS audit policies by using the vserver security file-directory command family.

You can only configure NTFS SACLs using the CLI. Configuring NFSv4 SACLs is not supported with this ONTAP command family. See the man pages for more information about using these commands to configure and add NTFS SACLs to files and folders.