Advanced Auditing Not Working...

Windows Server 2008 R2 file server.  Sensitive share is published to DFS and is available when users type a UNC path in explorer.

Acess Base Enumeration is enabled.

We enabled Advance Auditing via GPO, ran gpupdate, configured Auditng on the top-level folder of the protected share at the file server - "Everyone" - "This folder, subfolders, files" - "Successful" and "Failed" for all accesses.  

We began seeing a large volume of data in the "Security" event log.

We went back and unchecked all "Successful" items and retained just a few "Failed" items ("Traverse Folder", "List Folder", "Read Permissions", etc).

Now, we are getting no events recorded when we test accessing the object with an unauthorized account.

Question:  In this protected share, although we have have Access-Based Enumeration enabled, we want to determine when an unauthorized user might try to access a folder, either by trying to access the top level folder, or by entering an complete UNC path for a subfolder.

What configurations must be made, both the the GPO as well as the folder security settings in order to track/audit just those attempts by unauthorized memeber to access any part of this proctected folder?

Thank you....
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Looks like something of this - on  "Bypass Traverse Checking"

But it is advise as better not touch it and by default this right is not audited even if you enable Audit privilege use

AuditPol can be useful though I am not so savvy with it

Security Audit Events for Windows 7 and Windows Server 2008 R2 (which may be useful to see on the "File and Object Access")

Category - Object Access
subcategory - File System or Detailed File Share
Possible event include below - see the tab (in xls download) for more details

5145      A network share object was checked to see whether the client can be granted desired access.
5140      A network share object was accessed.
5142      A network share object was added.
5143      A network share object was modified.
5144      A network share object was deleted.
5168      Spn check for SMB/SMB2 failed.
4664      An attempt was made to create a hard link.
4985      The state of a transaction has changed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DWStovallAuthor Commented:
@ breadtan,

I'm not sure I understand what I should do.

To enable "Auditing" initially, before I contacted Experts Exchange, I configured some items in GPO, and then configured some items at the top-level folder of the items I wanted to protect.

Things seemed to be working okay except that I had all of the "Accesses" set for "Successful" and "Failed", and the volume of entries in the event log was too much.

I unchecked most of the "Successful" items and some of the "Failed" items, and now none of the object accesses, particularly attempts by unauthorized people, - none are being recorded in the event log.

What settings must be configured so that I can track just the "Failed" attempts to access the folder objects?

I also would like to audit attempts, failed or otherwise, of "Permission Change" on any of the subfolders.

Thank you...
btanExec ConsultantCommented:
In this link under the "Audit Object Access Properties", has option for Success and Failure.
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

DWStovallAuthor Commented:
I have reconfigured Advanced Auditing Policy and have reconfigured the SACL on the folders I want to auidt.  

I am getting a reasonable (appropriate) volume of entries to the Security Event Log; however, with Access Based Enumeration invoked, I'm not seeing any failed attempts to access folders being audited.

Although Access-Based Enumeration will prevent unauthorized individual from seeing folders to which they do not access, I would still like to know if an individual persists in attempting to access a folder.

For example:  With Access Based Enumeration enabled, a user may not be able to see a folder to click on it, and thus would not get a message indicating he did not have access.  If a person attempts to access a folder by using a more direct UNC path (\\server\share\folder), I would like auditing to reflect a "Failed" attempt.  So far, that's not happening.
btanExec ConsultantCommented:
However I see that is the only best as there is no specific events for ABE. The only coverage is from the audit object access or audit kernel object....
btanExec ConsultantCommented:
Probably this can reduce the noise and be folder specific
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.