Tuesday, September 24, 2013

Warning when someone tries to connect to a share on my computer

In windows you can attach tasks to events.
You can attach a task to an audit event that represents connections to the local host shares.
You will need to configure the filter using XML and filter share connections events (5140) and discard events from the local host itself to connect to itself (many programs try to connect to c$ share like firefox when opening a browse file dialog and uploading files to forms).

This is the filter
<QueryList> <Query Id="0" Path="Security"> <Select Path="Security"> *[System[(EventID=5140)]] and *[EventData[(IpAddress!='127.0.0.1')]]</Select> </Query> </QueryList>

After the filter is built, attach the task of sending email or an on screen message "some one is trying to connect to my computer - see event log for details"