Audit Access to C$

Secure Infrastructure Blog

Hi Guys, a customer asked me for a visibility about who is accessing C$ on his environment, users were claiming about admins that are using domain admins privileges to access c$ on client computers. What this customer asked for is a daily report about who is accessing c$. Using Event forwarding and PowerShell we were able to have a daily email with the information we need. If you are interested follow the steps 😉.

  • Enable audit on client computers.
  • Configure Event forwarding to centralize logs on a server.
  • Script to treat events on the WEF server and send a daily csv file about who is accessing c$ on which computer.

I- Enable Audit on client computers

We will enable auditing on the client computers scope using a GPO. let’s do it.

Create and link a GPO on your target OU, LabComputers OU in my scenario.

Edit the GPO and configure…

View original post 526 more words

Thank you so much

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s