File Monitoring vs. File Access Tracking

<< Click to Display Table of Contents >>

Navigation:  Additional Tips and Resources > Miscellaneous >

File Monitoring vs. File Access Tracking

The File Monitoring (System Health) and File Access Tracking (Compliance Tracking) features can seem ambiguous, since they both monitor file changes. The features are quite different however, and attempt to solve different problems. The comparison table below outlines the key differences between the features.

 

Comparison Overview

 

Feature

File Monitoring

File Access Tracking

Can generate alerts, trigger actions

Yes

No

Requires NTFS auditing to be enabled on monitored folder(s)

No

Yes

Captures username who accessed and/or modified file

No

Yes

Can capture calling process who accessed and/or modified file

No

Yes, depending on source

Can capture source computer from which file was accessed and/or modified

No

Yes

Monitors checksums

Yes

Yes

Can monitor read access

No

Yes

 

Detailed Comparison

 

System Health -> File Monitoring

 

This feature monitors files in one or more designated directories either in real-time or in scheduled intervals. File Monitoring was designed with both security (integrity checks) and system automation in mind, and is primarily intended to issue alerts or trigger actions when a file change is detected.

 

From a security standpoint, File Monitoring ensures that selected files (e.g. executables in the SYSTEM32 directory, credit card transaction logs and so forth) are not changed, and that any change that does occur is logged and, optionally, triggers an alert.

 

From a system administrator standpoint, it can help automate many tasks that are triggered based on file changes in a directory. For example, a directory can be monitored and any file added to the directory can be automatically compressed by a process action, or a list of users can be notified that a file has been added. Since file changes can be directly linked to a process action, the abilities of what one can do are only limited by the process/batch file itself.

 

One distinct advantage of the File Monitoring feature is that it does not require any additional configuration steps on the OS. Once File Monitoring is configured and the configuration pushed, it will be effective immediately.

 

 

 

Compliance Tracking -> File Access Tracking

 

Compliance Tracking intercepts "Object Access" security events which are generated by the Operating System when auditing has been enabled on a file and/or directory. This feature was designed to monitor directories that contain confidential or security-sensitive data, and provide advanced reporting that can be used to satisfy both security and compliance-related demands.

 

While File Access Tracking cannot generate any type of alert or trigger actions, it does include more information about the file changes themselves. The key advantage is that File Access Tracking can often let you know who made changes to a file, and from where.

 

For example, depending on the source of the file change, the tracking information may include the calling process as well as the source computer.

 

Due to some key architectural differences between Pre-Vista operating systems, Vista and Windows Server 2008 are the preferred platforms for this feature, though earlier operating systems are fully supported as well.

 

Keep in mind that File Access Tracking requires that NTFS auditing is enabled on any folder that needs to be monitored, see File Access Tracking Prerequisites for more information.