Monitoring a file or folder for NTFS permissions changes

I recently had the need to monitor NTFS permission changes on a particular folder on a 2003 server, in more or less real-time.

My first thought was to do so with windows auditing, but auditing a file or folder for change of permisions results in an event id 560. This is a very common event, so to be alerted to this in real time, it’s seemed to be neccesary to use an app which would look into the detail of the event, and notify only if neccesary.

I tried a couple of apps, but running through the event log for specific detail seems quite processor intensive, and would lead to long cpu spikes.

I thought I’d take a different approach, using a batch file and BMAIL, which seems to work well enough, and is free.

If anyone finds this useful here was my approach:

Firstly create a folder to store your stuff…. we’ll call it c:myfolder
Download bmail from here: http://www.beyondlogic.org/solutions/cmdlinemail/cmdlinemail.htm
and stick the bmail.exe in c:myfolder

We’ll assume the folder to be monitored is c:private

run:
CACLS c:private>c:myfolderoriginal.txt

This creates a snapshot text document containing the current permissions on that folder. (this will need to be redone if the permissions are changed purposely)

Next up create a batch file (mybat.bat) in your c:myfolder

echo off
REM if a comparison txt file exists, delete it silently
del c:myfoldernew.txt /q

:END

The next step was just to schedule this to run evey 5 minutes. The processor hit is negligable, and then (assuming you have turned on file auditing for that folder) you can look in event viewer to get the detail.