This rule monitors situations where Single Instance Storage (SIS) has been disabled for a volume due to a security issue. This can be caused by a permissions change for SIS private folders on the affected volume. SIS will be disabled on the volume until the issue is resolved.
An alert will be generated for every individual volume that has the issue. The alert description will contain the volume details. Only a single alert will be generated per unique volume that exhibits this condition.
A change has been made by an administrator to security permissions for the SIS private folders on the volume. SIS uses a hidden directory called SIS Common Store and permissions on this directory should not be modified.
To restore permissions to the correct settings, use the following steps:
Identify the volume with the problem from the alert description
On the affected server, open an elevated command prompt
Type sisadmin /i [volume] where [volume] is the applicable volume name e.g. sisadmin /i d:
You must manually resolve alerts after the issue has been resolved.
Target | Microsoft.Windows.FileServer.Service.SIS.2008R2 | ||
Category | SecurityHealth | ||
Enabled | True | ||
Event_ID | 12306 | ||
Event Source | Groveler | ||
Alert Generate | True | ||
Alert Severity | Error | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | Application |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
GenerateAlert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.Windows.FileServer.Service.SIS.2008R2.VolumeNotSecure" Target="Microsoft.Windows.FileServer.Service.SIS.2008R2" Enabled="true" Remotable="true" ConfirmDelivery="true">
<Category>SecurityHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>Application</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">Groveler</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">12306</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>2</Severity>
<AlertMessageId>$MPElement[Name="Microsoft.Windows.FileServer.Service.SIS.2008R2.VolumeNotSecure.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Params/Param[1]$</AlertParameter1>
<AlertParameter2>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</AlertParameter2>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Params/Param[1]$</SuppressionValue>
</Suppression>
</WriteAction>
</WriteActions>
</Rule>