Detailed File Share auditing is enabled. How/Where? Causing high event volume of 5145 events.
I have some 2008 R2 DCs that I noticed recently as having thousands of 5145 events being logged. In my research this event is logged for any access to any file share (without regard for SACLs) and is set at the Advanced Audit->Object Access->File
Share audit setting.
The problem is, this advanced audit item is NOT configured on any GPO applying to the DC as verified by RSoP (resultant set of policy).
I do have "Audit Object Access" auditing enabled via the the legacy audit method, however as I understand it, it only audits objects that have SACLs set on them. I currently have one SACL set, and that's to track file deletions on the SYSVOL share.
Note, running the following command shows ALL of the advanced subcategory audit items as being enabled (including Audit File Share): auditpol /get /category:"Object Access"
I found the following article that implies, enabling the legacy audit method for "Audit Object Access" automatically enables all of the advanced subcategories.
http://cosonok.blogspot.com/2010/09/getting-loads-thousands-per-second-of.html.
This seems to go completely against the description for the legacy "Audit Object Access" item which clearly states only items with SACLs will be audited.
Am I missing or misunderstanding something? I realize that I probably should just use the Advanced auditing (and not the legacy items), but I have yet to dig into that. Since the legacy option is there, I'd like to get a firm grasp as to why
I'm getting the results I'm getting.
March 7th, 2011 11:24am
Hi, can you paste a full 51450 event information?
I think you can uncheck the success of Audit Object access for a test.
Free Windows Admin Tool Kit Click here and download it now
March 8th, 2011 11:56am
Here is the text of the 5145 event. Also I cannot disable successful audits for Object Access, as there are some cases where this auditing is required.
I fully understand the issue... turning on Object Access logging using the legacy auditing method will enable all subcategories audit items (which includes items to log audit items regardless of SACLs being present or not). I just don't understand
why that is, as that in itself violates what Object Access logging is intended for, per the explanation text of that audit item, which is to only log non-AD objects but only if they have SACLs defined.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/7/2011 9:19:24 PM
Event ID: 5145
Task Category: Detailed File Share
Level: Information
Keywords: Audit Success
User: N/A
Computer: APACBLR01DCX02.APAC.FADV.NET
Description:
A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: APAC\BLR01SSDPRI$
Account Name: BLR01SSDPRI$
Account Domain: APAC
Logon ID: 0x408eb6d
Network Information:
Object Type: File
Source Address: 10.254.67.82
Source Port: 1502
Share Information:
Share Name: \\*\IPC$
Share Path:
Relative Target Name: \
Access Request Information:
Access Mask: 0x80
Accesses: ReadAttributes
Access Check Results:
*XML info stripped*
March 8th, 2011 1:13pm
Hi Matthew,
RSoP cannot display the result of Advanced Audit Policy. You can verify the result by run the following command in CMD
window:
auditpol.exe /get /category:*
I have enabled the legacy audit policy: Audit object access. It did not enable the Audit Detailed File Share. Currently,
I suggest you use GPMC to collect a Group Policy Results for this computer and check it:
1.
Open GPMC, right-click Group Policy Results on the left pane.
2.
Choose Group Policy Results Wizard, follow the wizard to collect a Group Policy result for problematic computer.
3.
After that, highlight the result on the left pane. Click the Settings on the right pane.
Then, you can find which GPO enabled the Audit Detailed File Share.
Regards,
BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2011 3:30am
Thanks for your reply Bruce,
My apologies... I must clarify that when I stated I ran an RSoP, I actually meant that I ran the GPMC Group Policy Results. All Advanced Audit Policy items were marked "Not Configured", yet the auditpol.exe command shows they all were. I've even
checked the local security policy. Nothing is configured anywhere, outside of the legacy audit policy.
I'm not sure why you can't replicate my results, as every 2008 R2 domain that I have configured currently show this exact scenario. Moreover, the link I provided backs the claim.
Thanks,
Matthew
March 11th, 2011 8:14am
Hi Matthew,
Please save the GPMC Group Policy Results and upload to this space (Please choose "Send Files to Microsoft"):
Workspace URL:
https://sftasia.one.microsoft.com/choosetransfer.aspx?key=3f16286c-1b1d-4e19-abb4-af78342387ef
Password: K*#pr+G3At$Ve
Meanwhile, please let me know the detailed steps that you used to enable the legacy audit policy: Audit object access.
I will test in my lab again.
Regards,
Bruce
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial
to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 11th, 2011 11:54am
I uploaded a zip file named AuditPolicyTroubleshooting.zip.
Please note: The original domain I was troubleshooting somehow has those configuration options turned off! I have no idea who/what turned them off. I have a suspicion that one of my domain admins made some changes after me bringing this
issue to their attention, however I'm unsure who as no one is owning up to it. As such the zip file attached is from another domain also confirmed to have this issue.
I saw some event log entries citing these audit items were in fact being turned off, but it does not reference the user who initiated the change. The group policy is also unchanged. How do I find out who/what did this? Moreover, HOW did they
do it, if not through local and/or group policy? Maybe with the Auditpol command itself? Wouldn't it log who did it, especially since auditing (was) turned on for everything?
As far as my normal process, usually when I set auditing rules, I just open the Default Domain Controllers policy and drill down to the (legacy) Audit Policy section, then set Success and Failure for all options. I have never gone into the Advanced
Audit section. This is all I have ever done.
Maybe something else specifically enabled it, I dunno.
Example event log entry as mentioned above:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/8/2011 1:20:55 PM
Event ID: 4719
Task Category: Audit Policy Change
Level: Information
Keywords: Audit Success
User: N/A
Computer: APACBLR01DCX02.APAC.FADV.NET
Description:
System audit policy was changed.
Subject:
Security ID: SYSTEM
Account Name: APACBLR01DCX02$
Account Domain: APAC
Logon ID: 0x3e7
Audit Policy Change:
Category: Object Access
Subcategory: File Share
Subcategory GUID: {0cce9224-69ae-11d9-bed3-505054503030}
Changes: Success removed, Failure removed
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4719</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13568</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2011-03-08T07:50:55.403280900Z" />
<EventRecordID>110618495</EventRecordID>
<Correlation />
<Execution ProcessID="480" ThreadID="2700" />
<Channel>Security</Channel>
<Computer>APACBLR01DCX02.APAC.FADV.NET</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">APACBLR01DCX02$</Data>
<Data Name="SubjectDomainName">APAC</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="CategoryId">%%8274</Data>
<Data Name="SubcategoryId">%%12808</Data>
<Data Name="SubcategoryGuid">{0CCE9224-69AE-11D9-BED3-505054503030}</Data>
<Data Name="AuditPolicyChanges">%%8448, %%8450</Data>
</EventData>
</Event>
March 11th, 2011 2:29pm
It looks like this has now turned into an even bigger problem. It appears NO auditing is being done now. Something turned it off, yet the Group Policy Results shows it clearly still defined.
AuditPol
C:\Windows\system32>auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
Group Policy Results
Local Policies/Audit Policyhide
Policy
Setting
Winning GPO
Audit account logon events
Success, Failure
Default Domain Controllers Policy
Audit account management
Success, Failure
Default Domain Controllers Policy
Audit directory service access
Success, Failure
Default Domain Controllers Policy
Audit logon events
Success, Failure
Default Domain Controllers Policy
Audit object access
Success, Failure
Default Domain Controllers Policy
Audit policy change
Success
Default Domain Controllers Policy
Audit privilege use
Failure
Default Domain Controllers Policy
Audit process tracking
No auditing
Default Domain Controllers Policy
Audit system events
Success
Default Domain Controllers Policy
Free Windows Admin Tool Kit Click here and download it now
March 21st, 2011 2:35pm
Hi,
Is there someone else who can modify the GPO?
I have not received your last zip file. Currently, please collect the latest Group Policy Results using the wizard in GPMC and upload
to this space (Please choose "Send Files to Microsoft"):
Workspace URL: (https://sftasia.one.microsoft.com/choosetransfer.aspx?key=a7b874fc-3a7d-41d8-a46e-869cae79798e)
Password: 6GsLqh8s#o1
Meanwhile, if the issue is urgent to your business, it is recommended that you contact Microsoft Customer Support Services (CSS) via
telephone so that a dedicated Support Professional can assist you in a more efficient manner.
To obtain the phone numbers for specific technology request please take a look at the web site listed below.
http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS
If you are outside the US please see http://support.microsoft.com for regional support phone numbers.
Regards,
BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your
question. This can be beneficial to other community members reading the thread.
March 23rd, 2011 7:11am
I uploaded the file again.
The file, FADV_Auditing_Issues.zip, was uploaded successfully.
Send Files - Standard File Name : FADV_Auditing_Issues.zip
Start Time : Thu, 24 Mar 2011 13:15:26 UTC
End Time : Thu,24 Mar 2011 13:15:24 UTC
Time Taken : -2 seconds
This is not an urgent matter. Also, while there are others that *can* make GPO changes, I'm really the only one that does.
On the domain that ended up having auditing completely disabled (per AuditPol) regardless of what was configured in GPO, we were not able to find the cause. We did, however, find that by simply replacing the legacy audit configuration
with the Advanced Audit Policy configuration (within the only GPO it was defined in) ended up fixing the issue entirely for that domain. That was the only change that was made! Ultimately this makes no sense.
But anyway, my other two domains still have just the legacy auditing enabled, yet AuditPol shows every setting as being configured for success/failure. I'm still not understanding this. Again based on the research I did, other people have noticed
this same thing, which lead me to believe it was normal, but you saying it does not happen for you makes me wonder if it is in fact normal.
I'm looking forward to your reply to the information that was sent.
Free Windows Admin Tool Kit Click here and download it now
March 24th, 2011 9:20am
I am noting similar behaiour in a Windows 2003 domain that has introduced a Windows 2008 member serverbeing used for a File Share only; the Windows 2008 member server security log is being pounded with event ID 5145; since this thread seems to be dealing
with why a Security log on a Windows 2008 Server is being filled with Event ID 5145 enties that cannot be traced back to a known "enabled" state - can you advise if anything new has been determined on this? I have run the suggested commands as outlined
above and cannot account for why these events are occuring.
April 21st, 2011 2:53pm
Glen,
What are the results of the following command being ran on the 2008 member server?
auditpol /get /category:*
I haven't found any further information regarding this topic. At this point I'm just relying on configuring the advanced audit policy vs. the legacy policy.
-Matthew
Free Windows Admin Tool Kit Click here and download it now
April 21st, 2011 4:25pm
To summarize:
AAP is used even if all the categories say "Unconfigured" in GPOwhen you change any of categories, you receive "No auditing" in all categories.
The fix is to force using AAP via GP and setup granular audits.
Today I have the same issue as the topic starter. Looks like a bug.
March 31st, 2012 10:13am
I haven't found any further information regarding this topic. At this point I'm just relying on configuring the advanced audit policy vs. the legacy policy.
-Matthew
Hi Matthew,
I'm in the same boat you are. After editing any portion of AAP, and then setting all categories to "not configured" it seems as if legal policy no longer has any affect on logging. Have to rely on AAP audit at a granular level. If you should ever happen
to find a resolution to this, PLEASE share.
-Eric
Free Windows Admin Tool Kit Click here and download it now
June 5th, 2012 5:20pm
Matthew,
I found the answer to the problem.. read here.
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/79820070-de59-43ef-9f95-1441e23bb5ca
June 5th, 2012 5:37pm