Submit a ticketCall us

Quickly Address Software Vulnerabilities
Patch Manager is an intuitive patch management software which extends the capabilities of WSUS and SCCM to not only patch Windows® servers and workstations, and Microsoft® applications, but also other 3rd-party applications which are commonly exploited by hackers. Learn more about our patch management solution.

 

Home > Success Center > Log & Event Manager (LEM) > Monitor when a user tries to access a file for which they don't have permissions

Monitor when a user tries to access a file for which they don't have permissions

Table of contents
Created by Jason Dee, last modified by Jason Dee on Dec 07, 2016

Views: 39 Votes: 0 Revisions: 6

Overview

This article details how to audit events where a user tries to open a file or folder they have been denied access to.

Environment

All versions of LEM 

Detail

Due to the nature of Windows auditing, finding events for this specific scenario can be tricky. Try searching or creating a rule with the following conditions:

 

 

Note: To actually generate these events, your Windows Audit Policy must be monitoring Failures for the File System and Handle Manipulation subcategories. You will also need to adjust the auditing on the files/folders in question to montior failures for File Execution.

 

 

Last modified
16:15, 7 Dec 2016

Tags

Classifications

Public