Single Instance Store volume not secure - Microsoft.Windows.FileServer.Service.SIS.2008R2.VolumeNotSecure (Rule)

Microsoft.Windows.FileServer.Service.SIS.2008R2.VolumeNotSecure (Rule)

Knowledge Base article:

Summary

This rule monitors situations where Single Instance Storage (SIS) has been disabled for a volume due to a security issue. This can be caused by a permissions change for SIS private folders on the affected volume. SIS will be disabled on the volume until the issue is resolved.

An alert will be generated for every individual volume that has the issue. The alert description will contain the volume details. Only a single alert will be generated per unique volume that exhibits this condition.

Causes

A change has been made by an administrator to security permissions for the SIS private folders on the volume. SIS uses a hidden directory called SIS Common Store and permissions on this directory should not be modified.

Resolutions

To restore permissions to the correct settings, use the following steps:

Identify the volume with the problem from the alert description
On the affected server, open an elevated command prompt
Type sisadmin /i [volume] where [volume] is the applicable volume name e.g. sisadmin /i d:

You must manually resolve alerts after the issue has been resolved.

Element properties:

Target

Microsoft.Windows.FileServer.Service.SIS.2008R2

Category

SecurityHealth

Enabled

True

Event_ID

12306

Event Source

Groveler

Alert Generate

True

Alert Severity

Error

Alert Priority

Normal

Remotable

True

Alert Message

SIS has been disabled on a volume

The Single Instance Storage (SIS) service has been disabled on volume '{0}' on computer '{1}' because the SIS private folders are not secure

Event Log

Application

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	Default
GenerateAlert	WriteAction	System.Health.GenerateAlert	Default

Module Type

TypeId

RunAs

DataSource

Microsoft.Windows.EventProvider

Default

GenerateAlert

WriteAction

System.Health.GenerateAlert

Default

Source Code:

<Rule ID="Microsoft.Windows.FileServer.Service.SIS.2008R2.VolumeNotSecure" Target="Microsoft.Windows.FileServer.Service.SIS.2008R2" Enabled="true" Remotable="true" ConfirmDelivery="true"> <Category>SecurityHealth</Category> <DataSources> <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider"> <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>Application</LogName> <Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="String">PublisherName</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="String">Groveler</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">12306</Value> </ValueExpression> </SimpleExpression> </Expression> </And> </Expression> </DataSource> </DataSources> <WriteActions> <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert"> <Priority>1</Priority> <Severity>2</Severity> <AlertMessageId>$MPElement[Name="Microsoft.Windows.FileServer.Service.SIS.2008R2.VolumeNotSecure.AlertMessage"]$</AlertMessageId> <AlertParameters> <AlertParameter1>$Data/Params/Param[1]$</AlertParameter1> <AlertParameter2>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</AlertParameter2> </AlertParameters> <Suppression> <SuppressionValue>$Data/Params/Param[1]$</SuppressionValue> </Suppression> </WriteAction> </WriteActions> </Rule>