All journalled operating systems, such as Windows and Unix, have the ability to audit access to a folder (directory) or file. Essentially the system writes the occurrence of an access event to a log file. When you check the log file, you can see who's doing what in your network. In Windows, for example, when you enable auditing of file access for NTFS volumes, you'll get entries written into the Security log.
In Windows 2003 Server you can enable auditing by right clicking on the file or folder, selecting Properties, and then clicking on the Security tab. Then click on the Advanced tab, uncheck the Allow Inheritable Entries from Parent to Propagate check box. Enable the feature by clicking the Add button to add users and groups. For all users, that is the Everyone group (but realize the dangers of using the Everyone group). The Auditing Properties page lets you select what type of access you audit. OK out of the dialog boxes, making sure to check the Replace Auditing Entries on All Child Object box before you leave the Advanced page.
To audit potential suspicious behavior, consider creating one or more dummy files or folders with enticing names such as "Corporate Salary Structure", "Annual Audit Results", "Sales Report", "HR Findings" or the like and place them in the location you want to monitor. You may find people accessing these files from either internal or external sources that will help you close some important security breaches before the offenders
Barrie Sosinsky is president of consulting company Sosinsky and Associates (Medfield MA). He has written extensively on a variety of computer topics. His company specializes in custom software (database and Web related), training and technical documentation.
This was first published in August 2003