EldoS | Feel safer!

Software components for data protection, secure storage and transfer

SID of remote user on a network share is always that of SYSTEM

Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages
#35776
Posted: 01/30/2016 23:26:06
by Vinay K (Basic support level)
Joined: 01/30/2016
Posts: 9

Please excuse me if this question is already answered.

I have shared a folder as UserA. If I do any FS activity on this folder through Explorer, the FileMon logs everything correctly (with correct username/domain).

However, if a remote user UserB network mounts this share and does some activity, her FS events are always logged as SYSTEM. I understand that the SYSTEM does all operations on UserB's behalf, but is there a way I could get the original user?

I tried logging the SID too, but this belongs to SYSTEM.

I am running CallbackFilter Version 4.0.97 on Windows 2012 Server R2.

Thanks
#35777
Posted: 01/31/2016 06:31:02
by Vladimir Cherniga (EldoS Corp.)

Quote
G_115198218267181571372 wrote:
but is there a way I could get the original user?

For that case you must change impersonation method for the network users through the Administrative console. Otherwise, all users will be impersonated as NT_AUTHORITY\System. You may check this problem using Process Monitor tool from sysinternals.com. It allows to monitor file system requests and show "User" and "Authentication Id" fields appropriately, when you select corresponding columns in settings.
#35779
Posted: 01/31/2016 23:54:05
by Vinay K (Basic support level)
Joined: 01/30/2016
Posts: 9

Where is the Administrative console on 2012 server and where is the impersonation method set?

I think, this should be a common method and should be well documented somewhere. Can you share some links?

Thanks
#35788
Posted: 02/01/2016 06:51:44
by Vladimir Cherniga (EldoS Corp.)

Use attached screenshot as a hint.


#35798
Posted: 02/01/2016 15:53:32
by Vinay K (Basic support level)
Joined: 01/30/2016
Posts: 9

This works fine when the share is accessed on that machine.
What I mean is if users access the share via Remote Desktop/ or switch user on same machine, it logs it correctly.

However, if the share is accessed as a network share from some other box, I see only SYSTEM user doing all operations.

Also, the Audit logs does give all the information properly. (the event details have the full user information.)
#35799
Posted: 02/01/2016 16:13:07
by Eugene Mayevski (EldoS Corp.)

CallbackFilter works differently from Audit logs and provides the information that has been presented to it by the OS. In particular, if the thread that sends the request works under SYSTEM account, then there's not much we can do to retrieve the actual user name.


Sincerely yours
Eugene Mayevski
#35800
Posted: 02/01/2016 18:06:31
by Vinay K (Basic support level)
Joined: 01/30/2016
Posts: 9

Thanks Eugene!

Yes, that makes sense.

Is there a way to tell the OS to execute FS requests as a real user and not SYSTEM? May be configuring a share or something should let us specify that.

Thanks
#35801
Posted: 02/01/2016 18:08:33
by Eugene Mayevski (EldoS Corp.)

Quote
G_115198218267181571372 wrote:
Is there a way to tell the OS to execute FS requests as a real user and not SYSTEM? May be configuring a share or something should let us specify that.


Yes, if the share requires authentication, then user accounts, used to login to the share, should be reported.


Sincerely yours
Eugene Mayevski
#35802
Posted: 02/01/2016 18:20:56
by Vinay K (Basic support level)
Joined: 01/30/2016
Posts: 9

IIUC, we can tie the login information with the FS events?

But, this probably wont work if many users are accessing the share simultaneously, where the real user is different for different FS events.

Thanks
#35803
Posted: 02/01/2016 18:32:29
by Eugene Mayevski (EldoS Corp.)

The number of users doesn't matter - if the share is not anonymous, user names will be reported, and if the share allows anonymous access, you'll get SYSTEM as a user.

I must note that the problem with System account comes from the fact, that it's really a system process accessing the files. This means that if you run some other share method (eg. using some other protocol and your own server), and this method doesn't impersonate users, you'll not be getting the remote user name as well.


Sincerely yours
Eugene Mayevski
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 6298 times

none




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!