The File Monitoring (System Health) and File Access Tracking (Security & Compliance) features can seem ambiguous since they both monitor file changes. The features are quite different however and attempt to solve different problems. The comparison table below outlines the key differences between these features:
Comparison Overview
Feature |
File Monitoring |
File Access Tracking |
Can generate alerts, trigger actions |
Yes |
No |
Requires NTFS auditing to be enabled on monitored folder(s) |
No |
Yes |
Captures username who accessed and/or modified file |
No |
Yes |
Can capture calling process who accessed and/or modified file |
No |
Yes, depending on source |
Can capture source computer from which file was accessed and/or modified |
No |
Yes |
Monitors checksums |
Yes |
Yes |
Can monitor read access |
No |
Yes |
Detailed Comparison
System Health -> File Monitoring
This feature monitors files in one or more designated directories either in real-time or in scheduled intervals. File Monitoring was designed with both security (integrity checks) and system automation in mind, and is primarily intended to issue alerts or trigger actions when a file change is detected.
From a security standpoint, File Monitoring ensures that selected files (e.g. executables in the SYSTEM32 directory, credit card transaction logs and so forth) are not changed, and that any change that does occur is logged and, optionally, triggers an alert.
From a system administrator standpoint, it can help automate many tasks that are triggered based on file changes in a directory. For example, a directory can be monitored and any file added to the directory can be automatically compressed by a process action, or a list of users can be notified that a file has been added. Since file changes can be directly linked to a process action, the abilities of what one can do are only limited by the process/batch file itself.
One distinct advantage of the File Monitoring feature is that it does not require any additional configuration steps on the OS. Once File Monitoring is configured and the configuration pushed, it will be effective immediately.
|
|
Security & Compliance -> File Access Tracking
Security & Compliance intercepts "Object Access" security events which are generated by the Operating System when auditing has been enabled on a file and/or directory. This feature was designed to monitor directories that contain confidential or security-sensitive data, and provide advanced reporting that can be used to satisfy both security and compliance-related demands.
While File Access Tracking cannot generate any type of alert or trigger actions, it does include more information about the file changes themselves. The key advantage is that File Access Tracking can often let you know who made changes to a file, and from where.
For example, depending on the source of the file change, the tracking information may include the calling process as well as the source computer.
Due to some key architectural differences between Pre-Vista operating systems, Vista and Windows Server 2008 are the preferred platforms for this feature, though earlier operating systems are fully supported as well.
Keep in mind that File Access Tracking requires that NTFS auditing is enabled on any folder that needs to be monitored, see File Access Tracking Prerequisites for more information. |
