Step 1: Turn on File Editing
# Enable Audit Access - Success
auditpol /set /category:"Object Access" /success:enable
Run: GPEDIT.MSC > Computer Configuration > Security Settings > Local Policies > Audit Policy > double-click ‘Audit object access’ > put check marks next to ‘Success’ and ‘Failures’ > OK
Step 2: Apply Audit Policy to Shared Folders
Run: explorer.exe > navigate to Shared folder > right-click folder and select Properties > click on Security tab > Advanced
Click on Auditing tab > if the Auditing entries are empty, click Add
Set Principle as ‘everyone’ > Applies to ‘This folder, subfolders and files’ > insert check marks next to ‘Read & execute’, ‘List folder contents’, and ‘Read’ > OK
Click OK or Continue to bypass these warnings
Step 3: Test
Logon to SMB Server to check event log (eventvwr.exe) > navigate to Windows Logs > right-click Security > Filter current log > input value ‘5140’, as shown in the list below, into the Event IDs field > OK
SMB Access Event IDs List:
5140(S, F): A network share object was accessed.
5142(S): A network share object was added.
5143(S): A network share object was modified.
5144(S): A network share object was deleted.
5145(S): A network share object was checked to see whether client can be granted desired access (Synchronize, ReadData, ListDirectory, ReadAttribute)
5168(F): SPN check for SMB/SMB2 failed.
Access the SMB share path from a remote machine to open a file on the SMB Server > Return to SMB Server console session to refresh the event viewer and see the ‘Audit Success’ item
Here’s a sample text of the event above:
A network share object was accessed.
Security ID: intranet\TestUser
Account Name: TestUser
Account Domain: intranet
Logon ID: 0x80160F50
Object Type: File
Source Address: 10.10.10.10
Source Port: 58341
Share Name: \\*\IPC$
Access Request Information:
Access Mask: 0x1
Accesses: ReadData (or ListDirectory)