• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1506
  • Last Modified:

Advanced Auditing Not Working...

Windows Server 2008 R2 file server.  Sensitive share is published to DFS and is available when users type a UNC path in explorer.

Acess Base Enumeration is enabled.

We enabled Advance Auditing via GPO, ran gpupdate, configured Auditng on the top-level folder of the protected share at the file server - "Everyone" - "This folder, subfolders, files" - "Successful" and "Failed" for all accesses.  

We began seeing a large volume of data in the "Security" event log.

We went back and unchecked all "Successful" items and retained just a few "Failed" items ("Traverse Folder", "List Folder", "Read Permissions", etc).

Now, we are getting no events recorded when we test accessing the object with an unauthorized account.

Question:  In this protected share, although we have have Access-Based Enumeration enabled, we want to determine when an unauthorized user might try to access a folder, either by trying to access the top level folder, or by entering an complete UNC path for a subfolder.

What configurations must be made, both the the GPO as well as the folder security settings in order to track/audit just those attempts by unauthorized memeber to access any part of this proctected folder?

Thank you....
  • 4
  • 2
1 Solution
btanExec ConsultantCommented:
Looks like something of this - on  "Bypass Traverse Checking"

But it is advise as better not touch it and by default this right is not audited even if you enable Audit privilege use

AuditPol can be useful though I am not so savvy with it

Security Audit Events for Windows 7 and Windows Server 2008 R2 (which may be useful to see on the "File and Object Access")

Category - Object Access
subcategory - File System or Detailed File Share
Possible event include below - see the tab (in xls download) for more details

5145      A network share object was checked to see whether the client can be granted desired access.
5140      A network share object was accessed.
5142      A network share object was added.
5143      A network share object was modified.
5144      A network share object was deleted.
5168      Spn check for SMB/SMB2 failed.
4664      An attempt was made to create a hard link.
4985      The state of a transaction has changed.
DWStovallAuthor Commented:
@ breadtan,

I'm not sure I understand what I should do.

To enable "Auditing" initially, before I contacted Experts Exchange, I configured some items in GPO, and then configured some items at the top-level folder of the items I wanted to protect.

Things seemed to be working okay except that I had all of the "Accesses" set for "Successful" and "Failed", and the volume of entries in the event log was too much.

I unchecked most of the "Successful" items and some of the "Failed" items, and now none of the object accesses, particularly attempts by unauthorized people, - none are being recorded in the event log.

What settings must be configured so that I can track just the "Failed" attempts to access the folder objects?

I also would like to audit attempts, failed or otherwise, of "Permission Change" on any of the subfolders.

Thank you...
btanExec ConsultantCommented:
In this link under the "Audit Object Access Properties", has option for Success and Failure.  http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

DWStovallAuthor Commented:
I have reconfigured Advanced Auditing Policy and have reconfigured the SACL on the folders I want to auidt.  

I am getting a reasonable (appropriate) volume of entries to the Security Event Log; however, with Access Based Enumeration invoked, I'm not seeing any failed attempts to access folders being audited.

Although Access-Based Enumeration will prevent unauthorized individual from seeing folders to which they do not access, I would still like to know if an individual persists in attempting to access a folder.

For example:  With Access Based Enumeration enabled, a user may not be able to see a folder to click on it, and thus would not get a message indicating he did not have access.  If a person attempts to access a folder by using a more direct UNC path (\\server\share\folder), I would like auditing to reflect a "Failed" attempt.  So far, that's not happening.
btanExec ConsultantCommented:
However I see that is the only best as there is no specific events for ABE. The only coverage is from the audit object access or audit kernel object....
btanExec ConsultantCommented:
Probably this can reduce the noise and be folder specific
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now