none
auditing file share on windows 2008 R2

    Question


  • I think I may need a little handholding here. I have been working with our new Windows 2008 R2 file server. I am having a problem doing some simple file level auditing.

    I turned on Audit Object Access in the local policy. The GPO that applies to this server does not have it set and I only really need it enabled on this server. I have it auditing success and Failure.

    After I did that I got deluged with Event ID: 5145. I went to each folder and made sure that I had auditing turned off for each folder and file. I did that to see if it would quite down the logs a little. It did not. I am currently getting about 1500 events of 5145 every second. They all say “ A network share object was checked to see whether client can be granted desired access”

    Most of the details look like this:

    - System
      - Provider
       [ Name]  Microsoft-Windows-Security-Auditing
       [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D}
       EventID 5145
    Version 0
    Level 0
       Task 12811
       Opcode 0
       Keywords 0x8020000000000000
      - TimeCreated
      [ SystemTime]  2009-10-21T17:27:06.988998000Z
       EventRecordID 4035441
       Correlation
      - Execution
      [ ProcessID]  528
      [ ThreadID]  544
       Channel Security
       Computer XXXXX-File.XXXXX.com
       Security
    - EventData
      SubjectUserSid S-1-5-21-619530815-2141852887-1629300891-2071
      SubjectUserName SteveW
      SubjectDomainName XXXXXXXXXX
      SubjectLogonId 0x223b087c
      ObjectType File
      IpAddress 10.2.50.88
      IpPort 1087
      ShareName \\*\users
      ShareLocalPath \??\E:\shares\users
      RelativeTargetName \
      AccessMask 0x1
      AccessList %%4416 
      AccessReason %%4416: %%1801 D:(A;OICI;FA;;;WD) 

     

    All I am trying to keep track of at this point is logon and logoff events AND files and folders being deleted.

    If I have put this into the wrong folder please let me know.

    • Edited by Matt K1 Wednesday, October 21, 2009 5:44 PM bad formating
    Wednesday, October 21, 2009 5:40 PM

Answers

  • try this:

    auditpol /get /category:"Object Access"

    you will see the actuall subcategories of the granular auditing. Starting with Vista/2k8, you have the ability to granullarly configure each auditing class (normally enabled/disabled as a whole in the policy) for each subcategory.

    Starting with Vista, there is this new auditing for File Share which generates the audit records every time someone accesses the share whate the NTFS Auditing is, because for NTFS auditing, there is another subcategory called File System.

    Starting with 7/2k8R2, you can also configure this by using Local Security Policy (or even GPO edited from 2k8R2/7), there is a new node called Advanced Audit Policy Configuration

    o.

    • Marked as answer by Matt K1 Thursday, October 22, 2009 4:13 PM
    Thursday, October 22, 2009 2:20 PM

All replies

  • its in fact File Share Access auditing. more in a second....
    Thursday, October 22, 2009 2:16 PM
  • try this:

    auditpol /get /category:"Object Access"

    you will see the actuall subcategories of the granular auditing. Starting with Vista/2k8, you have the ability to granullarly configure each auditing class (normally enabled/disabled as a whole in the policy) for each subcategory.

    Starting with Vista, there is this new auditing for File Share which generates the audit records every time someone accesses the share whate the NTFS Auditing is, because for NTFS auditing, there is another subcategory called File System.

    Starting with 7/2k8R2, you can also configure this by using Local Security Policy (or even GPO edited from 2k8R2/7), there is a new node called Advanced Audit Policy Configuration

    o.

    • Marked as answer by Matt K1 Thursday, October 22, 2009 4:13 PM
    Thursday, October 22, 2009 2:20 PM
  • Ok so if I understand correctly I should be able to go into advanced audit policy and then object Access and turn off the file share audit. By default they are set to Not Configured, but when I ran the command you provided it appears that they are all being audited. My other question is that I think I saw a warning not to have both set at the same time. Meaning don't use the base audit policy and then also use the advanced audit policy at the same time. Maybe I read that wrong though.
    Thursday, October 22, 2009 3:43 PM
  • correct. when you enable the old auditing, you are enabling all the subcategories together. you need to use the Advanced Auditing or the AUDITPOL to configure the subcategories individually.

    o.
    Thursday, October 22, 2009 3:53 PM
  • I made changes to Advanced Audit Policy > Object Access so that only File System is selected Success and Failure. I have setup auditing on a test folder to audit
    Delete and Delete subfolders and files Successful of Failed.
    When I do delete these files I only seem to get Event ID 4663 (object was accessed) and 4660 (Object was deleted). So I am getting what I need. Event ID 4663 tells me the user name, object and type of access!!!

    Thank you for your help!
    • Proposed as answer by PhoenixUA Thursday, November 08, 2012 7:39 PM
    Thursday, October 22, 2009 4:13 PM
  • I just wanted to thank you guys from the bottom of my heart, for this thread just solved the issue that has been driving me crazy for the last 2 weeks!

    Great piece of info, thank you again!

     

    Tuesday, October 19, 2010 3:55 PM
  • Thanks for this thread... I had tried to tweak this and upped the security log max to 100MB and it was still filling up every day now I am just getting the "delete" flags audited that I want.
    Thursday, February 16, 2012 4:45 PM
  • Another thankful reader here! I was getting the log filled up with Event ID 5145, but after clearing audit settings and enabling only "File System", I get Event ID 4660 and 4663 to track deleted files. Perfect!!
    Monday, February 20, 2012 6:29 PM
  • Exactly what I was after! Thanks

    Thursday, May 10, 2012 12:32 PM
  • How about audit not running in the 3rd sub-folder?

    Wednesday, June 13, 2012 5:37 PM
  • Another thankful reader here! I was getting the log filled up with Event ID 5145, but after clearing audit settings and enabling only "File System", I get Event ID 4660 and 4663 to track deleted files. Perfect!!
    but it didn't tell the file / folder name has been deleted!
    Friday, January 18, 2013 7:51 AM
  • Hi all,

    I enabled File System Audit and NFTS audit only "Delete subfolders and files"

    auditpol /get /category:"Object Access"
    System audit policy
    Category/Subcategory                      Setting
    Object Access
      File System                             Success and Failure
      Registry                                No Auditing
      Kernel Object                           No Auditing
      SAM                                     No Auditing
      Certification Services                  No Auditing
      Application Generated                   No Auditing
      Handle Manipulation                     No Auditing
      File Share                              No Auditing
      Filtering Platform Packet Drop          No Auditing
      Filtering Platform Connection           No Auditing
      Other Object Access Events              No Auditing
      Detailed File Share                     No Auditing

    I try to delete files but don't see any 4463 event.

    Saturday, March 22, 2014 3:34 AM