Administrators know that users can be very
unpredictable, and some even have a tendency to start experimenting
with your network. For example, a user might get bored and start
browsing around your network for “useful” information. It’s hard to
anticipate who’s going to try accessing your confidential data.

If you want to see who’s successfully or
unsuccessfully accessed data, turn on auditing. Auditing is a
useful feature that allows you to see exactly what’s going on with
your documents.

Before you can monitor access to your files,
you have to enable the feature. Follow these steps:

  1. Open User Manager by going to Start |
    Programs | Administrative Tools | User Manager.
  2. Select Policies | Audit.
  3. Choose Audit These Events.
  4. Under the File And Object Access option,
    select either the Success or Failure check box, depending on the
    events you want to audit.
  5. Close all dialog boxes.

You can turn on auditing for several events,
but for now, let’s focus on auditing access to files and
folders.

Once you’ve activated auditing, you must
specify the events on each individual file and folder. You can do
this only for files and folders located on NTFS volumes.

Right-click a file or folder, and select
Properties. On the Security tab, click Auditing. In the Event To
Audit section, click Add, and select the users or a group of users.
If you want to enable auditing for all users, select Everyone.

While auditing is a helpful practice, don’t get
carried away. When you log more files and enable more logging
options, you risk performance issues. And if you audit too much,
you’ll easily get lost in the log files, and you might miss
important events.

So it’s a good idea to only log important files
or the most important events. For instance, if you want to find out
who’s deleting files, only monitor successful file deletes.