Auditing Folder Permission Changes

How can we detect when permissions on a folder are changed? We need this capability for certain folders that contain critical data to satisfy a monitoring requirement in our compliance audit.

First, you'll need to enable the Audit object access events policy for successful events on the servers on which the folders reside. You'll find this policy in the servers' Local Security Policy, or you can configure it via an applicable Group Policy Object (GPO).

Next, for each folder, open its properties dialog box in Windows Explorer and go to the Security tab. Click Advanced, and in the Advanced Security Settings dialog box, go to the Auditing tab. Add an entry that enables for Everyone auditing of successful Change Permissions and Take Ownership events, as Figure 1 shows. I included Take Ownership because taking ownership of a folder results in the new owner having full control of the object.

Now, whenever someone successfully changes the permissions on this folder or takes ownership of it, an event ID 560 similar to the one in Figure 2 will be recorded in the Security event log. Note the existence of WRITE_DAC in the Accesses field. WRITE_DAC indicates that permissions were changed. DAC stands for discretionary access control. If the event had been caused by someone taking ownership, you would see WRITE_OWNER in the Accesses field.

You should be aware that the audit entry in Figure 1 results in an event being logged for every subfolder and file in the CriticalData folder when someone makes permission changes on CriticalData that are inherited by files and subfolders. That could result in a lot of events. You could change the Apply onto value from This folder, subfolders and files to This folder only, but then you'd miss getting notified of permission changes made directly to subfolders or files. The best course of action is to keep Apply onto set to This folder, subfolders and files, then tune your monitoring and reporting to filter out notifications of permission changes on subfolders and files whose parent folder just experienced the same change.