I am using just the Windows Event Viewer to help gather this information and it is working for what I need at the moment. A third party solution is something we may consider down the road for this so I’ll keep Netwrix in mind.
I was hoping to tune the events that get logged into the Windows Event Log so that it is easier to review by considering removing the default auditing on the C:\Windows\servicing and C:\Windows\WinSxS\FileMaps folders. However it appears that this may not be commonly done so I’ll need to reconsider this approach. Thanks, -Aakash Shah From: [email protected] [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Tuesday, September 15, 2015 1:51 PM To: '[email protected]' <[email protected]> Subject: RE: [NTSysADM] RE: File Server Auditing Question - Help Eliminating Events Produced From Windows Folders With Default Auditing Enabled What are you using to gather the data from your security logs? There are 3rd party products out there that do what you’re wanting to do. I personally use Netwrix, and love it. Takes a little bit to get setup, but works like a champ, and collects the info in one place where you can report/investigate. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Aakash Shah Sent: Tuesday, September 15, 2015 12:17 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] RE: File Server Auditing Question - Help Eliminating Events Produced From Windows Folders With Default Auditing Enabled Thanks for your reply. My goal is to enable file auditing for user folders deleted by administrators, and department folders that have been deleted by anyone. I’ve successfully enabled this, but I noticed that there are events being logged that I am not interested in auditing on the C:\Windows\servicing and C:\Windows\WinSxS\FileMaps folders. However, these folders appear to be enabled by default in Windows. My question was whether anyone has successfully removed the auditing configuration on the folders C:\Windows\servicing and C:\Windows\WinSxS\FileMaps, or if there was a way to tell Windows to not audit any default folders in general either via policy or registry change to minimize the event log entries on this file server? Thanks! -Aakash Shah From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Andrew S. Baker Sent: Tuesday, September 15, 2015 10:19 AM To: ntsysadm <[email protected]<mailto:[email protected]>> Subject: Re: [NTSysADM] RE: File Server Auditing Question - Help Eliminating Events Produced From Windows Folders With Default Auditing Enabled What are you actual auditing goals? ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market… GPG: 1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Tue, Sep 15, 2015 at 9:30 AM, Aakash Shah <[email protected]<mailto:[email protected]>> wrote: Just thought I’d try once more to see if anyone has any information about this. Thanks! -Aakash Shah From: Aakash Shah Sent: Thursday, September 10, 2015 9:27 PM To: '[email protected]<mailto:[email protected]>' <[email protected]<mailto:[email protected]>> Subject: File Server Auditing Question - Help Eliminating Events Produced From Windows Folders With Default Auditing Enabled I am setting up file server auditing on a Server 2012r2 system for the first time and I had a question about reducing/eliminating the events produced from Windows folders that automatically have auditing defined on them. Current Setup I enabled file server auditing by setting Audit File System to Success under Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Configuration | Object Access. Behavior After enabling file system auditing, I noticed that the Security log started to log several events periodically. I’ve pasted some of the relevant details below. If the entire event entry is needed, please let me know. Event ID: 4656 Security ID: SYSTEM Description: A handle to an object was requested Process Name: C:\Windows\CCM\CcmExec.exe Object Name: C:\Windows\servicing Frequency: 3 events every 10 minutes Event ID: 4656 Security ID: SYSTEM Description: A handle to an object was requested Process Name: C:\Windows\System32\rundll32.exe Object Name: C:\Windows\WinSxS\FileMaps\<several subfolders> Event ID: 4663 Security ID: SYSTEM Description: An attempt was made to access an object Process Name: C:\Windows\System32\rundll32.exe Object Name: C:\Windows\WinSxS\FileMaps\<several subfolders> Frequency: The above 2 events produce about 650 events within about 1 second. So far I have noticed it occurring in the early morning on 2 of the days since I’ve enabled this. Upon checking the C:\Windows\servicing and C:\Windows\WinSxS\FileMaps folders, I see that they have Auditing enabled by default. Goal I’d like to minimize the event logs produced since these events are not something that I am interested in auditing. Questions 1. Has anyone attempted to remove auditing from the Windows folders C:\Windows\servicing or C:\Windows\WinSxS\FileMaps? 2. Is there a cleaner way to not log these default audit defined folders (the auditing I will be doing will be on a separate data volume on the server and not on the C drive)? Or is the general approach to allow the events to be logged and then use the filter option (or a log management tool) to ignore these entries? Thanks! -Aakash Shah
