To totally unlock this section you need to Log-in
Login
Until Windows Server 2008, there were no specific events for file shares. But in Windows Server 2008 and later, there are two new subcategories for share related events:
- File Share
- Detailed File Share
File Share Events
This subcategory allows you to track the creation, modification and deletion of shared folders (see table below). You have a different event ID for each of those three operations. The events indicate who made the change in the Subject fields, and provides the name the share users see when browsing the network and the patch to the file system folder made available by the share. See the example of event ID 5142 below.
A network share object was added.
Subject: Security ID: W8R2\wsmith Account Name: wsmith Account Domain: W8R2 Logon ID: 0x475b7
Share Information: Share Name: \\*\AcmeAccounting Share Path: C:\AcmeAccounting
The bad news is that the subcategory also produces event ID 5140 every time a user connects to a share. The data logged, including who accessed it, and their client IP address is nice, but the event is logged much too frequently.
Since Windows doesn’t keep network logon sessions active if no files are held open, you will tend to see this event frequently if you enable the “File Share” audit subcategory. There is no way to configure Windows to produce just the share change events and not this access event as well.
- 5140: A network share object was accessed.
- 5142: A network share object was added.
- 5143: A network share object was modified.
- 5144: A network share object was deleted.
Detailed File Share Events
Event ID 5140, as discussed above, is intended to document each connection to a network share, and as such it does not log the names of the files accessed through that share connection. The Detailed File Share audit subcategory provides this lower level of information with just one event ID – 5145 – which is shown below:
A network share object was checked to see whether client can be granted desired access.
Subject: Security ID: SYSTEM Account Name: WIN-KOSWZXC03L0$ Account Domain: W8R2 Logon ID: 0x86d584
Network Information: Object Type: File Source Address: fe80::507a:5bf7:2a72:c046 Source Port: 55490
Share Information: Share Name: \\*\SYSVOL Share Path: \??\C:\Windows\SYSVOL\sysvol Relative Target Name: w8r2.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\Machine\Microsoft\Windows NT\Audit\audit.csv
Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes
Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;WD) ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;WD) ReadEA: Granted by D:(A;;0x1200a9;;;WD) ReadAttributes: Granted by D:(A;;0x1200a9;;;WD)
This event tells identifies the user (Subject fields), the user’s IP address (Network Information), the share, and the actual file accessed via the share (Share Information) and then provides the permissions requested and the results of the access request. This event actually logs the access attempt and allows you to see failure versions of the event as well as success events.
Be careful about enabling this audit subcategory because you will get an event for every file accessed through network shares each time the application opens the file. This can be more frequent than imagined for some applications like Microsoft Office.
Conversely, remember that this category won’t catch access attempts on the same files if a locally executing application accesses the file via the local patch (e.g. c:\docs\file.txt) instead of via a patch.
You might also want to consider enabling auditing on individual folders containing critical files and using the File System subcategory. This method allows you to be much more selective about who, which files and what types of access are audited.
For most organizations, enable the File Share subcategory if it’s important to you to know when new folders are shared. You will probably want to filter out the 5140 occurrences.
Then, if you have file level audit needs, turn on the File Access subcategory, identify the exact folders containing the relevant files and enable auditing on those folders for the specific operations (e.g. Read, Write, Delete) needed to meet your audit requirements. Don’t enable the Detailed File Share audit subcategory unless you really want events for every access to every file via network shares.
Enable Audit Policy
Create a Group Policy Object and name it something to the effect of File Server Audit Policy.
We will use the Advanced Audit Policy Configuration section from now on for greater control of what we will audit on our systems: audit policy settings under Security Settings\Advanced Audit Policy Configuration are available in the following categories:
- Account Logon
- Account Management
- Detailed Tracking
- DS Access
- Logon/Logoff
- Object Access
- Policy Change
- Privilege Use
- System
- Global Object Access Auditing
Edit the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ and define the following Audit Policy settings:
The settings below are from the Member Server Security Compliance baseline of the Security Compliance Manager (SCM) - (http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx) with the exception of Object Access: File System which is Enabled for Success:
Server Security Compliance:
AUDIT POLICY | VALUE |
Account Logon: Credential Validation | Success and Failure |
Account Logon: Kerberos Authentication Service | No Auditing |
Account Logon: Kerberos Service Ticket Operations | No Auditing |
Account Logon: Other Account Logon Events | No Auditing |
Account Management: Application Group Management | No Auditing |
Account Management: Computer Account Management | Success |
Account Management: Distribution Group Management | No Auditing |
Account Management: Other Account Management Events | Success and Failure |
Account Management: Security Group Management | Success and Failure |
Account Management: User Account Management | Success and Failure |
Detailed Tracking: DPAPI Activity | No Auditing |
Detailed Tracking: Process Creation | Success |
Detailed Tracking: Process Termination | No Auditing |
Detailed Tracking: RPC Events | No Auditing |
DS Access: Detailed Directory Service Replication | No Auditing |
DS Access: Directory Service Access | No Auditing |
DS Access: Directory Service Changes | No Auditing |
DS Access: Directory Service Replication | No Auditing |
Logon-Logoff: Account Lockout | No Auditing |
Logon-Logoff: IPsec Extended Mode | No Auditing |
Logon-Logoff: IPsec Main Mode | No Auditing |
Logon-Logoff: IPsec Quick Mode | No Auditing |
Logon-Logoff: Logoff | Success |
Logon-Logoff: Logon | Success and Failure |
Logon-Logoff: Network Policy Server | No Auditing |
Logon-Logoff: Other Logon/Logoff Events | No Auditing |
Logon-Logoff: Special Logon | Success |
Object Access: Application Generated | No Auditing |
Object Access: Certification Services | No Auditing |
Object Access: Detailed File Share | No Auditing |
Object Access: File Share | No Auditing |
Object Access: File System | Success |
Object Access: Filtering Platform Connection | No Auditing |
Object Access: Filtering Platform Packet Drop | No Auditing |
Object Access: Handle Manipulation | No Auditing |
Object Access: Kernel Object | No Auditing |
Object Access: Other Object Access Events | No Auditing |
Object Access: Registry | No Auditing |
Object Access: SAM | No Auditing |
Policy Change: Audit Policy Change | Success and Failure |
Policy Change: Authentication Policy Change | Success |
Policy Change: Authorization Policy Change | No Auditing |
Policy Change: Filtering Platform Policy Change | No Auditing |
Policy Change: MPSSVC Rule-Level Policy Change | No Auditing |
Policy Change: Other Policy Change Events | No Auditing |
Privilege Use: Non Sensitive Privilege Use | No Auditing |
Privilege Use: Other Privilege Use Events | No Auditing |
Privilege Use: Sensitive Privilege Use | Success and Failure |
System: IPsec Driver | Success and Failure |
System: Other System Events | No Auditing |
System: Security State Change | Success and Failure |
System: Security System Extension | Success and Failure |
System: System Integrity | Success and Failure |
Also remember to set the following settings, as well under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options:
- Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Enabled.
- Audit: Shut down system immediately if unable to log security audits to Disabled.
Event Log Size
You may need to increase the size of the Security event log to accommodate the new events generated configure the following group policy settings. This can be done with the policy setting Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security - Maximum Log Size (KB). For maximum supported sizes see http://support.microsoft.com/kb/957662.
Note: if you wish to archive old events, set Retain old events to Enabled and Backup log automatically when full to Enabled. By doing so, the event log file is automatically closed and renamed when it is full and a new file is then started. If you do not wish to retain old events, set Retain old events to Disabled.
Description Fields in 5140
Subject:
The user and logon session that accessed the share.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Network Information:
- Source Address: IP Address of the client computer where the user initiated the access.
- Source Port: source TCP port of the connection - not useful.
Share Name:
The name of the share.
Description Fields in 5142
Subject:
- Security ID: The security ID of the user that added the share (If available, Active Directory is queried and the Domain\Account Name is displayed rather than the SID).
- Account Name: The user that added the share.
- Account Domain: Domain of the user that added the share.
- Logon ID: ID for the session of the user that added the share.
Share Information:
Share Name: the public name of the share.
Share Path: the UNC path of the share.
Description Fields in 5144
A network share has been deleted.
Subject:
Share Information:
Share Name: the public name of the share.
Share Path: the UNC path of the share.
Enabling File and Folder Auditing
In order to track file and folder access on Windows Server it is necessary to enable file and folder auditing and then identify the files and folders that are to be audited. Once correctly configured, the server security logs will then contain information about attempts to access or otherwise manipulate the designated files and folders. It is important to note that file and folder auditing is only available for NTFS volumes.
File and folder auditing is enabled and disabled using either Group Policy (for auditing domains, sites and organizational units) or local security policy (for single servers). To enable file and folder auditing for a single server, select Start -> All Programs -> Administrative Tools -> Local Security Policy. In the Local Security Policy tool, expand the Local Policies branch of the tree and select Audit Policy.
Double click on the Audit Object Access item in the list to display the corresponding properties page and choose whether successful, failed, or both types of access to files or folders may be audited:
Once the settings are configured click on Apply to commit the changes and then OK to close the properties dialog. With file and folder auditing enabled the next task is to select which files and folders are to be audited.
Configuring which Files and Folders are to be Audited
Once file and folder access auditing has been enabled the next step is to configure which files and folders are to be audited. As with permissions, auditing settings are inherited unless otherwise specified. By default, configuring auditing on a folder will result in access to all child subfolders and files also being audited. Just as with inherited permissions, the inheritance of auditing settings can be tuned off for either all, or individual files and folders.
To configure auditing for a specific file or folder begin by right clicking on it in Windows Explorer and selecting Properties. In the properties dialog, select the Security tab and click on Advanced. In the Advanced Security Settings dialog select the Auditing tab. Auditing requires elevated privileges.
If not already logged in as an administrator click the Continue button to elevate privileges for the current task. At this point, the Auditing dialog will display the Auditing entries list containing any users and groups for which auditing has been enabled as shown below:
To add new users or groups whose access attempts to the select file or folder are to be audited click on the Add... button to access the Select User or Group dialog. Enter the names of groups or users to audit, or Everyone to audit access attempts by all users. Click on OK to display the Auditing Entries for dialog as illustrated below:
Use the drop down list to control whether the auditing setting is to be applied to the current file or folder, or whether it should propagate down to all children files and/or sub-folders.
Finally, select which types of access are to be audited and, for each type, whether successful, failed or both kinds of attempt are to be audited. Once configured, click on OK to dismiss current dialog and then Apply the new auditing settings in the Auditing Entries dialog.
From this point on, access attempts on the selected file or folder by the specified users and groups of the types specified will be recorded in the server's Security logs which may be accessed using the Events Viewer, accessible from Computer Management.
Auditing File Shares (Windows Security Log) – Let’s see how to enable file (object) auditing on internal file servers and other member servers to keep an eye on which files and folders are accessed or modified. – http://heelpbook.altervista.org/2017/auditing-file-shares-security-log/.