NTFS file access auditing

[Brad Judy <win-hied () BRADJUDY COM>]

One of our current projects is a higher security file services offering that
can meet a some of the stricter regulatory compliance requirements.  To that
end, one of the planned features is detailed file access auditing to enable
a review of who has accessed what data at what time.  This is easy enough to
enable with native capabilities, and we're looking at third-party tools to
make audit log reviews/reports much more practical.  My question is about a
quirk of Windows explorer and its impact on audit logs.



If I enable audit logging of file reads for items in a particular directory,
but not auditing of "read" on the directory itself (aka list).  Then I do a
command-line directory listing of the directory, there are no resulting
audit logs.  This is expected because I just accessed a directory listing
and not read the files themselves.  If I instead open the directory in
Windows explorer (at least under Windows 7), it will trigger a read audit
log for all of the files in the directory.  Following both of these actions
in process monitor (great tool - learn it) shows that they are indeed very
different and the GUI browsing does request a handle for each of the files
in the directory and opens them.  Presumably this is done to request
detailed file information for GUI display.



Unfortunately, this means the audit logs are deceiving, showing no
difference between browsing into a folder and actually opening the files.
Has anyone else tackled this issue?  Did you do so natively, or using a
third-party audit solution?



Thanks,



Brad Judy