We help IT Professionals succeed at work.

Too much event id 4663 generated for file access audit on a Windows file server.

Stephan Bourgeois
Stephan Bourgeois used Ask the Experts™
on
Hi,

I am auditing a large file server using Netwrix. The goal is to audit all files modifications like changed, deleted, added and credential or owner change.

For some share folder, i also want to audit List folder / read data. Until now, I know what to do.

List Folder / read data generates a lot of entries in the Security events log, this is why I don't enable it on all shares.

Netwrix use an agent scan all the files and create a state-in-time report of the files and folders permissions in time. So, that process is accessing millions of files and generating millions of audit events.

I am receiving a lots of events 4663 even in folder that I haven't enable Liste folder / read data. I am trying to find a way to eliminate those events to extend the security log retention.

The maximum size of the security log is 4GB and some audit plans in Netwrix doesn't have enough time to catch all the events before they are getting remove because it is getting full.

The solution, it is lower the number of audited events.

The following screenshot shows my auditing settings. LCDomainUsers is a Local Domain Group that contains Domain Users from 2 domains (forest).
2019-12-03AuditSettings.jpg
The next screenshot shows a generated audit event. Note that SRVSHARE1$ is the computer name and it is not part of the group LCDomainUsers. I don't understand why this event is generated. The process name NwxFsAgent.exe is the Netwrix agent.
2019-12-03Event4663.jpg
I am asking the experts, maybe one of you might have a solution or explain me why the event 4663 is generated even I didn't enable the "List folder / read data"

Thanks,
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
The event id generated is specific to removable storage category and generates if you enable "audit removable storage" through GPO \ advanced auditing
Disable that GPO setting and then this event should get vanished
The audit policy explicitly logs all access attempts to removable storage
The permissions you spoted in screen shot are belongs to some share folder and not removable storage i believe OR check if that drive is configured by windows as "Removable storage'
Stephan BourgeoisIT Specialist

Author

Commented:
Thank you Mahesh.

Your answer is very helpful and lead to another question.

Why the VMWare drives on the server are detected as removable storage?

I will research on this direction and probably disable audit of removable storage since no user can attach a removable storage on a virtual server.
Stephan BourgeoisIT Specialist

Author

Commented:
I search on Google and found this thread : https://communities.vmware.com/thread/476008

I will need to shutdown during off business hours to apply the fix devices.hotplug=false.

Event 4663 is not only for removable storage, not sure that fix will resolve my problem. I looked at anther server running Server 2008R2 and the drive are correctly identified.

2019-12-04-08_36_23-SRVGPSAudit.png
The difference, is that I don't see any List Folder / read data entries.
Architect
Distinguished Expert 2018
Commented:
The event is generic for file system and removable storage and works as expected for file system

However the difference between two is, removable storage logs any attempt to read / write attempts irrespective of what audit entry is set.
MaheshArchitect
Distinguished Expert 2018
Commented:
The difference can be identified by "task category" only
Stephan BourgeoisIT Specialist

Author

Commented:
Thank you for your help.

Applied the following fix and worked.
https://communities.vmware.com/thread/476008