How to Audit File Access on Shared Drives Without EDR Tools

Shared drives are invaluable for Small and Medium-sized Businesses (SMBs), but they introduce blind spots when file access activity isn’t tracked. A lack of visibility can lead to unauthorized access to sensitive files and undetected data loss.

Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) can address these issues, but can be expensive for clients. Managed Service Providers (MSPs) can still deliver strong security value by leveraging native auditing tools to track file access in shared drives and implementing structured processes for reviewing and responding to access activity.

Auditing file access on shared drives without EDR tools

To audit file access on shared drives without EDR tools, you must enable native file system auditing, review event logs, use file server features for SMB environments, standardize auditing policies, and communicate findings to clients.

📌 Prerequisites:

• Administrative access to Windows Server or file shares.
• Knowledge of file/folder permissions.
• Access to client compliance requirements.
• Optional: RMM or monitoring tool to centralize alerts.

Method 1: Enable native file system auditing

This step enables native file system auditing, allowing you to see who accesses, changes, or deletes data.

📌 Use Case:A company handling confidential financial or HR records wants to monitor access to specific folders to ensure only authorized personnel interact with those files.

You can enable object access auditing using Group Policy. To do so, follow the steps below:

1. Press Win + R, type gpmc.msc, then press Enter.
2. Navigate to:
   • Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy
3. Enable Audit Object Accessfor Successand Failure events.

Method 2: Review event logs for access activity

This step lets you monitor logs to provide insight into how sensitive data is used to ensure timely detection.

📌 Use Case:A security administrator wants to detect when users attempt to mass-delete client files or modify confidential HR data. By collecting and analyzing Windows Security Event Logs, the organization can identify these incidents early and respond before significant data loss or compliance breaches occur.

Collect Windows security event logs

1. Access event logs by pressing Win, typing Event Viewer, and then pressing Enter.
2. Navigate to:
   • Event Viewer → Windows Logs → Security
3. Focus on event IDs related to file system access and note down the written info:
   • 4663 – Access attempt on an object (e.g., file/folder read/write/delete).
   • 4660 – Object deleted.
   • 4656 – Handle requested for object access.
   • 4670 – Permissions changed on an object.

Forward logs to a central collection point

Security Information and Event Management (SIEM) tools, such as Microsoft Sentinel, can simplify review and correlation. Centralizing logs helps monitor different systems simultaneously and identify cross-system issues.

Set up alerts for suspicious activity

Define alert rules within your SIEM or monitoring system to flag:

• Mass file deletions
• Unauthorized access attempts
• Permission escalation

For example, an alert triggers if more than 50 delete events (Event ID 4660) happen within a short time period. The alert indicates a potential ransomware or insider threat scenario.

Method 3: Use file server features for SMB environments

This step leverages native server management tools to provide deeper control over data access and storage behavior.

📌 Use Case:An IT administrator manages multiple shared folders across departments hosted on a central Windows file server. To prevent storage misuse, the administrator implements File Server Resource Manager (FSRM) quotas and access reports to maintain visibility and enforce compliance.

Leverage FSRM

Use FSRM quotas to:

• Limit data stored in specific directories
• Trigger email notifications or scripts when users approach storage limits

You can also enable File Screening Management to prevent certain file types from being saved in restricted locations.

Apply permissions auditing for shared drives

Use Access-Based Enumeration (ABE) and the Advanced Security Settings on shared folders to ensure only authorized users can access specific directories. These audits confirm that access rights align with organizational policies, reducing the risk of privilege creep.

Regularly review access reports

Configure Storage Reports Management within FSRM to generate:

• Access reports
• Duplicate file and quota usage reports

Review reports periodically to identify unusual access patterns or large file transfers that could indicate misuse.

Method 4: Standardize auditing policies across clients

This step standardizes auditing policies to ensure organizations can monitor critical data using the same rules.

📌 Use Case:An MSP oversees dozens of client environments, each with varying configurations. To maintain consistent oversight and compliance, the MSP creates a baseline file access auditing policy that is applied across all clients.

Use PowerShell to define a standard audit setting for all client systems. To do so, follow the steps below:

1. Press Win, type PowerShell, then click Run as administrator.
2. Copy and paste the following script into the prompt, then press Enter:

# Enable Object Access Auditing auditpol /set /category:"Object Access" /success:enable /failure:enable # Set log size and retention policy wevtutil sl Security /ms:512000 /rt:true # Verify configuration auditpol /get /category:*

3. Note the following folders, as they are high-value data types you should constantly monitor:
   • Finance records
   • HR or employee data
   • Legal and compliance documentation
   • Client and project files
4. Right-click the folder → Properties → Security → Advanced → Auditing → Add
5. Choose the Users or Groups to audit, then pick Action to Audit:
   • Read
   • Write
   • Delete
   • Change Permissions

💡 Note: For large-scale environments, you can automate the folder definition by using the following PowerShell script:

# Example: Add auditing to a folder $folder = "C:\Finance" $acl = Get-Acl $folder $audit = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone","FullControl","Success,Failure") $acl.AddAuditRule($audit) Set-Acl $folder $acl

Method 5: Communicate findings to clients

This step translates technical audit data into client-friendly summaries to help demonstrate the value of monitoring efforts.

📌 Use Case:An MSP delivers monthly compliance reports to clients. Instead of sending dense event logs filled with Event IDs like 4663 and 4660, the MSP summarizes them into plain-language highlights.

• Translate technical logs into client-friendly summaries.
• Highlight successful detections and blocked attempts.
• Demonstrate how auditing reduces compliance and insider risk.

Verification

Once file access auditing is in place, it’s essential to verify that logs are collected, forwarded, and reviewed correctly.

Validate event collection and forwarding

Ensure file access events are recorded in the Windows Security Event Log and periodically test the forwarding configuration by generating sample access events and confirming they appear in the centralized dashboard. This process ensures no data loss between endpoints and the monitoring system.

Ensure audit trails meet compliance and SLA standards

Compare collected log details against client or regulatory requirements. Confirm that logs include:

• User identity
• Timestamp
• Action type
• Resource details

Regular compliance audits should cross-check this data to ensure records are secured.

Generate regular access reports

Schedule monthly or quarterly reports summarizing legitimate and suspicious activity. Deliver reports with summaries and visuals, while retaining logs for auditors or IT analysts.

Additional considerations

• Noise management: Too much auditing can overwhelm logs, so it’s best to focus on sensitive data.
• Storage impact: Log retention may need dedicated storage for compliance.
• User awareness: Let employees know that activity is monitored to reduce insider risks.

Troubleshooting common file access on shared drives issues

Address common issues to ensure auditing remains accurate, efficient, and compliant.

No access events logged

Confirm that Audit Object Access is enabled in Group Policy. To do so, navigate the following paths:

• Audit Policy:
  • Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit Object Access

• Advanced Audit Policy:
  • Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → File System

Ensure auditing is enabled for Success and Failure events.

Excessive false positives

Too many irrelevant logs can obscure risks. Refine the auditing configuration by focusing on sensitive folders.

NinjaOne services that help audit file access on shared drives

NinjaOne can document, automate, monitor, and report to make it easier for MSPs to audit file access on shared drives without EDR tools.

Documentation

NinjaOne’s documentation feature allows for securely stored credentials, procedures, and environmental details. You can also use documentation templates and checklists to organize and secure IT-specific information properly.

Automation

The task feature enables tasks to be set to recur at specific intervals. You can schedule tasks to run every number of hours, daily, weekly, or monthly.

Monitoring

NinjaOne has robust alert and monitoring capabilities. You can customize alerts for critical stage changes.

Reporting

NinjaOne’s comprehensive reporting features include customizable report cover pages, downloadable PDF reports, shareable reports with configurable permissions, and more.

Detect data losses by auditing file access on shared drives

While EDR tools help with file access auditing, the features aren’t necessary. You can leverage native Windows features and standardize policies to deliver meaningful visibility, reduce compliance risks, and strengthen client trust.

Related topics: