Clase FILE in network map

book

Article ID: 129686

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

In Windows we can audit correctly local disk resources, but assuming T: is a mapped drive corresponding to a remote share, the following resource definition does not show any audit record.

AC> nr file T:\* audit(all) defaccess(all) 

However, the same definition for a remote resource in UNIX (for instance through nfs) works
 

Environment

Windows 2016 and previous windows.
Release: 14.0 pim

Resolution

Microsoft implements the remote file access using three major components

a) A Client side file system re-director (mrxsmb.sys) , which does the remote file system namespace management along redirecting the FILE system IO calls and then talking to the upper edge of TCP/IP or Socket layer. b) A Client side user mode .dll, that interfaces with the remote server, requests administrative and non-administrative information along with a bi-way communication with windows Kernel via subsystem.

c) A Clear and strong protocol based communication in place, like CIFS/SMB/NFS etc.

Our PIM Endpoint (EP) is installed at a client system level where all the FILE IO redirection to server happens. As per the design of our product, we are a File system filter driver + Network filter driver. We don't filter or track any FILE IO's to a mapped folder or driver that is take the Network route based on some protocol like CIFS/NFS.

This is because of Microsoft's lack of any infrastructure supporting the filtering of remote File IO's or a documented way of hooking up the re-director or namespace.

PIM EP drivers currently support files that reside on a persistent Media (Be it Local disk or SAN) or cached media on Local System and not Remote ones. 

To protect a remote share the file that the remote share represents needs to be protected as well.