File locks: Poor mans auditing on SMB Windows File Servers

Do you need a lightweight solution to get a rough idea of what people are up to on your Windows File Servers?

Try the below.

This will:

• Document all file locks on your Windows File Server
• Export the results as a CSV which can be opened in Excel
• Create a cumulative list, the longer it runs, the more you know

This won't:

• Tell you when files were accessed (e.g. date/time)
• Capture info about files which were accessed but not locked
• Provide a forensic-grade audit trail of what users are doing

If your goal is to add auditing for security compliance, then don't use this script, enable Windows built-in auditing features instead.  However, if your goal is to get a feel for what people are actually using over time while leaving everything else as-is, this is the script for you.

All you need is PowerShell Active Directory Module on a recent Windows Server version.  I wrote this for Windows Server 2016 but in theory this should work on Server 2012 R2 or newer just fine.

## User Editable variables

$domain = "CONTOSO"

$root = "C:\ServerFolders\Security\OpenFiles"

$interval = 10

##

$ErrorActionPreference = "SilentlyContinue"

 

# Infinite loop for simplicity

while(1)

{

    # Get full AD user list

    $userlist = (get-aduser -Filter * | select SamAccountName)

    # Unlock all files to be updated by closing SMB handles

    Get-SmbOpenFile | Where {$_.Path -like "$root\*"} | Close-SmbOpenFile -Force

    # For every user, make an open file list

    foreach($user in $userlist)

    {

        # Process existing data

        $name = ($user.SamAccountName)

        # Initialise empty in case no previous log exists

        $old = ""

        $old = (Import-CSV -Path "$root\$name.csv" -ErrorAction SilentlyContinue)

        $new = (Get-SmbOpenFile -ClientUserName "$domain\$name" | Select-Object ClientComputerName, Path -Unique | Sort-Object)

        # We want to combine the current list and the new list, while only keeping unique records

        $combined = ((@($old) + @($new)) | Select-Object ClientComputerName, Path -Unique)

    

        # Re-export combined new unique value set

        $combined | Export-CSV -Path "$root\$name.csv" -ErrorAction SilentlyContinue

    }

    ## Start sleeping

    Start-Sleep -Seconds $interval

}

The algorithms are not the problem. We are.

Lately, I have seen an awful lot of news postings regarding the use of computer algorithms and the resulting impact on shaping how we each individually view the world around us. From written articles in specialist IT news publications to mainstream media, everyone seems to be concerned about the unintended consequences of companies personalising/tailoring the services we use to our specific needs.

Just today, The Young Turks ran an op-ed on an ARG-gone-wrong and how people are now falsely accusing random celebrities of having committed serious crimes as a result:

What people seem to forget (especially us folks in IT and infosec) is that the personalisation/tailoring of services is almost invariably in everybody's best interests. For example, when a car enthusiast wants to search the web for "Golf" or "Polo" they're likely not interested in the sport but in a specific model of car. Personalisation in this instance means that people can get better, more useful results from less specific search queries. If you're interested in video games, stores like Steam will make recommendations and offers based upon other games you have played or (in the case of multiplayer game enthusiasts) what you are likely to play with friends.  For music and movies, this is even more important, as services like Netflix and Spotify will automatically identify genuine interests, to make navigating through an all-you-can-eat buffet of multimedia that much easier. This all works in our favour to deliver exactly what want.

Everything is working as intended when people want to follow down a rabbit hole for pure fun and entertainment and that is what an ARG is. As you're reading this this very article, you most likely have free access to multiple online archival services, as well as commercially-backed search engines to easily locate the point of origin for this madness. Even mainstream journalists have done their job (for once) and documented the origins of this hilariously crazy fan-fiction (which I shall deliberately not name). We can surmise from this, that the real problem in this instance is the result of an education system which does not encourage people to always do real research; which begins by determining the provenance of assumed information, while weighting this alongside the prominence of the source and trustworthy peer review.  If it did, there is no way that we would be seeing American politicians risking mainstream majority votes to appeal to a far less educated, niche voter base.

Google, Spotify, Netflix, Amazon, Facebook and Twitter are all very popular worldwide, are all eligible scapegoats and yet we're not seeing the same American madness across all of the other countries they're dominant in. It should be obvious to all that this is because the problem isn't an algorithmic one, it's a human one. The problem is us. But thankfully, we're also the solution. The Internet gives all of us instant and immediate access to a vast, ever-expanding quantity of data, while simultaneously enabling anyone and everyone to publish what they want. It's time we started teaching people how to better utilise this privately-maintained public commons for the public good - and started rewarding people for doing so.