Configure SCOM to alert when new shares are created

leave a comment »

My company, like many other companies, are under strict regulations from governments at various levels to control who has access to sensitive data.  We not only have to worry about who can access data on our network from outside the corporate firewall, but also users who are internal.  One of the most difficult struggles we have had is controlling who has access to shared folders on our internal servers.

Since we delegate administrative privileges to many of our servers to other groups in IT (such as DBAs or Application Developers), it is a frequent occurrence that one of these individuals will create a new file share but not lock it down properly.  As you may know, shares created on a server running Windows Server 2003 are, by default, open to “Everyone” with read-only access.  So, how can you get some control on this situation?  You can beat systems administrators over the head with policies until your arms are tired, or you can configure SCOM to send an alert any time a share is created on any of your monitored servers.

SCOM can be configured to monitor for WMI events in addition to events in the Windows event logs.  Fortunately for us, a WMI event is triggered every time a shared folder is created in Windows.  Unfortunately for us, the WMI event looks the same no matter what is shared, so SCOM will not differentiate between a new shared printer and a new shared folder.  However, if you are like me, you won’t mind getting notified when printer shares are created, as long as you are also notified when a folder is shared.

I want to make it clear that I didn’t come up with this on my own, I simply pulled information from other sources on the Internet and used what I needed to accomplish my goals.  The following two blog posts were very helpful for me:

http://blogcastrepository.com/blogs/francoisd/archive/2008/09/22/scom-2007-how-to-raise-alerts-using-wmi-event-rule-and-get-the-desired-variable-in-alert-description.aspx

http://blogs.technet.com/b/smsandmom/archive/2008/08/21/opsmgr-2007-how-to-create-a-monitor-to-alert-when-a-network-share-is-created.aspx

Now, here’s what I did:

1. We’re going to be creating a rule.  Launch the Operations Manager Console UI, go to Authoring, select Rules.
2. Right-click Rules, select “Create New Rule.”
3. On the Created Rule Wizard, expand Collection Rules >Event Based > WMI Event and click Next (don’t forget to select a custom management pack other than the “Default Management Pack”.
4. Enter a Rule Name (I used “New network file share created”) and if you would like, you can also enter a description.
5. On Rule Category, select Alert.
6. For Rule Target, click Select, click on View All Targets, and select Windows Computer
7. For WMI Namespace, type root\cimv2 and for Query, enter the following:SELECT * FROM __InstanceCreationEvent WITHIN 120 WHERE TargetInstance ISA ‘Win32_Share’
   
8. Set the Poll Interval to 120 seconds.

When finishing out the rule, you’ll want to configure this rule to have a response of an Alert.  Here was the tricky part for me.  I needed to get useful information out of the WMI Event to put into the alert so I could make sense of what the alert was telling me.  Specifically, I wanted to know the name of the share and the local path to the folder on the server.  Configure your alert to look like the following screen shot:

After configuring the alert, I setup a subscription in SCOM for the alert to email me whenever a new share is created.  Now I am able to check new shares when they are created to make sure they are locked down with the appropriate permissions.

Written by Tim

July 13, 2010 at 4:25 pm

Posted in System Center Operations Manager

Tagged with Shares, System Center Operations Manager