Is it possible to audit object access of a file stored on a cluster shared volume (CSV)? My searches haven't come up with anything definitive. In my test environment, I've enabled NTFS auditing, Success/Failure/All, Everyone, Full
control on C:\ClusterStorage\Volume1\Test. Verified all objects in the folder and subfolders are inheriting the settings. Set Advanced Audit Policy Configuration, Object Access and enabled Success/Failure on Audit File Share, Audit File System,
and Audit Handle Manipulation. Copied a file in folder Test to c:\, no events are recorded in the security log. Enabled auditing on a file on C:\, security events all day long. Seems like once a volume is designated as a CSV, all
its NTFS features are relegated to the ether. If this is the case, isn't this a big security hole. Can't even track if someone is copying a vhdx.
↧