Every object on a file share has an owner. A file’s owner controls who has permissions to the object; full access permissions are particularly important because they enable the user to read, copy, delete and relocate the file. Therefore, any change of a file owner increases the risk of unauthorized access that could result in the loss or leakage of sensitive data. IT administrators must continuously monitor every change to a file owner and detect improper changes in order to mitigate the risk of data breaches and compliance failures.

Native Auditing

File share properties

Navigate to the required file share, right-click it and select “Properties”.

•  Select the “Security” tab
  •  “Advanced” button
    •  “Auditing” tab
      •  Click “Add” button
• Select Principal: “Everyone”;
• Select Type: “All”;
• Select Applies to: “This folder, subfolders and files”;
• Select the following “Advanced Permissions”:
  • “Change permissions and “Take ownership”.

GPEDIT

Run gpedit.msc.

Create a new group policy and assign it to the needed OU.

•  Edit it
  • Computer Configuration
    •  Policies
      •  Windows Settings
      •      Security Settings.
•  Go to Local Policies
  •  Audit Policy:
    • Audit object access
      •  Define: Success and Failures.

      Advanced policy configuration

      • Go to “Advanced Audit Policy Configuration”
        •  Audit Policies
          • Object Access:
            • Audit File System → Define → Success and Failures
            • Audit Handle Manipulation → Define → Success and Failures.

Event log

Go to Event Log, define:

1. Maximum security log size to 4GB
2. Retention method for security log to Overwrite events as needed.

Search security log

Open Event Viewer and search Security log for event id 4663 with “File Server” or “Removable Storage” task category and with “Accesses: WRITE_OWNER” string.

“Subject Security ID” will show you who changed the file’s/folders owner.

Originally posted – https://www.netwrix.com/how_to_detect_who_changed_file_or_folder_owner.html