Thursday, February 7, 2013

Access denied to disk share on Windows 2012

One thing you may not know is that when you add a disk to a Windows 2012 virtual machine under vSphere 5, it gets added and tagged as removable. The consequence of this tag is that when you try to access that disk using \\servername\e$, a popup message appear:
"Windows cannot access \\servername\e$
You do not have permission to access \\servername\e$. Contact your network administrator to request access."

If you look on the security log of your Windows server: an audit failure should have appeared:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          07/02/2013 10:34:13
Event ID:      4656
Task Category: Removable Storage
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      server.domain.com
Description:
A handle to an object was requested.
What surprised me at first when I saw this message was the task category: Removable Storage. How comes that a new vmdk is seen as a removable disk by Windows? Well, the answer is that in ESXi 5.x, SCSI controllers are presented as removable devices to the VM, as you can see in the following screenshot:


After a lot of investigation, I have found two possible workarounds to this problem.

The first workaround is to disable a security policy in gpedit.msc under Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access, because, as stated here, "in Windows Server 2012 or Windows 8, an audit event is generated each time a user attempts to copy, move, or save a resource to a removable storage device".

Microsoft justifies this choice in Windows 8 and Windows 2012 with this argument: "Many organizations are concerned about sensitive data being copied onto removable storage devices that are not controlled by their IT departments. Windows 7 and Windows Server 2008 R2 do not support auditing removable storage devices. As a result, enterprises lose the visibility of who accessed sensitive data after it has been copied to a removable storage device."

The short way to disable this auditing policy is to run the following command from an elevated prompt and then reboot:

auditpol /set /subcategory:"Removable Storage" /failure:disable

The second workaround is to disable hot plug for this virtual machine, by adding the configuration parameter devices.hotplug and setting it to false, as explained by VMWare at this link:


Adding this parameter requires the VM to be powered off, so it is currently an off-line fix.

Waiting for a real fix either by Microsoft or by VMWare, that's the best I could find.

6 comments:

  1. Thanks for posting this, had the same issue. Don't see much coverage of this issue, but am sure it must effect lots of people.

    ReplyDelete
  2. Yes, I agree with you. I think that not many people have for the moment implemented Win2012 on vSphere.

    I was on vCloud Director training last week and no one of the participants had used it yet.

    Glad I could help!

    ReplyDelete
  3. Fixed my issued for 2008 R2 that happened to an ESXi 5.1 cluster on Dell hardware/san.

    ReplyDelete
  4. Brilliant, if anyone is interested this had driven me and my partners almost crazy in a SharePoint 2013 deployment where things stop working apparently randomly, specially with inetpub folder access and ASP .NET custom coding. There is a KB from MS but at least for us it did not represent the full solution, even with the policy change, we though that probably we will need to re-deploy the farm because maybe some file or permissions did not apply properly during install and setup.

    ReplyDelete
  5. Thank you for posting this! You saved the day :-)

    ReplyDelete
  6. Thanks , that was helpful !

    ReplyDelete

Related Posts Plugin for WordPress, Blogger...