In Windows we can audit correctly local disk resources, but assuming T: is a mapped drive corresponding to a remote share, the following resource definition does not show any audit record.
AC> nr file T:\* audit(all) defaccess(all)
However, the same definition for a remote resource in UNIX (for instance through nfs) works
Windows 2016 and previous windows.
Release: 14.0 pim
Microsoft implements the remote file access using three major components
a) A Client side file system re-director (mrxsmb.sys) , which does the remote file system namespace management along redirecting the FILE system IO calls and then talking to the upper edge of TCP/IP or Socket layer. b) A Client side user mode .dll, that interfaces with the remote server, requests administrative and non-administrative information along with a bi-way communication with windows Kernel via subsystem.
c) A Clear and strong protocol based communication in place, like CIFS/SMB/NFS etc.
Our PIM Endpoint (EP) is installed at a client system level where all the FILE IO redirection to server happens. As per the design of our product, we are a File system filter driver + Network filter driver. We don't filter or track any FILE IO's to a mapped folder or driver that is take the Network route based on some protocol like CIFS/NFS.
This is because of Microsoft's lack of any infrastructure supporting the filtering of remote File IO's or a documented way of hooking up the re-director or namespace.
PIM EP drivers currently support files that reside on a persistent Media (Be it Local disk or SAN) or cached media on Local System and not Remote ones.
To protect a remote share the file that the remote share represents needs to be protected as well.