Using OpsMgr to Detect SMB (Shared Folders) Connections to Windows Computers

1 minute read

I wrote this simple management pack couple of weeks ago to detect new SMB (Shared Folders) connection as well as disconnection events on OpsMgr agents.

The MP contains two (2) WMI event rules, one for new connection event and one for disconnection event. Each rule generates a Informational alert:

New Connection alert:

image

Disconnection Alert:

image

I’ve used the Microsoft.Windows.WmiEventProvider.EventProvider module as the data source module for both rules. The WMI queries used for these rules are:

New Connection Rule:

Select * from __InstanceCreationEvent within 1 where TargetInstance ISA 'Win32_ServerConnection' and TargetInstance.ShareName !='IPC$'

 

Disconnection Rule:

Select * from __InstanceDeletionEvent within 1 where TargetInstance ISA 'Win32_ServerConnection' and TargetInstance.ShareName !='IPC$'

Both rules are disabled by default, you will need to enable them via overrides:

image

I left this running on my laptop at work. It was pretty funny yesterday a colleague of mine connected to my C$ to check few ConfigMgr client log files. I found out straightaway and forwarded the alert notification email that OpsMgr sent to me and asked him what was he looking for on my C drive. Smile

Please be very cautious on which computers you are enabling these rules on. Please try not to enable them on servers like domain controllers, file & print servers, ConfigMgr servers etc. if you are not prepared to deal with the large number of alerts these rules may generate!

The unsealed MP can be downloaded HERE.

Leave a comment