I'm looking for a way, either natively or through 3rd party tools, to monitor when a file is copied from a windows 2008 server share to another destination.
My environment is a virtual desktop infrastructure on which I have a Windows 2008 R2 DC/File server with Windows Shares. Also on the VDI are virtual Windows 7 computers which users log into via RDP through a gateway-to-gateway VPN tunnel. All files are supposed to remain on the VDI but I need to know when a user copies files from the shares to another computer (either one of the virtual machines or, more importantly, a local computer from which they are working.
Best Answer
First enable appropriate auditing and then interpret the event logs. All file operations consist of multiple low level events and it's those low level events that get logged.
A copy is therefore not a single event but a sequence of events, starting with a file open and ending with a file close, for both source and destination. There can be any number of reads or writes in between and, just to make things more difficult for us humans, there may be unrelated log entries interspersed between them.
The only real way to extract this kind of information is with a script or program which can read the logs using stateful inspection. It's important to note that if, at the very least, either the file open or file close didn't occur for both source and destination then the copy didn't occur, although it may indicate a failed attempt to copy.