rodynetwork
asked on
what to check on server 2008
I have a server runnig SBS 2008 Premium. As the owner of the company, I would like to keep up with how my server and my data are being handled. I have a tech remoting in to my server to perform various set ups and to address various issues. How can I check on or keep up with what he has set/unset and loaded/downloaded or copied onto or off of the server? Any suggestions relative to monitoring my data and keeping up with the general safety of my information? It's a vulnerable feeling to have someone accessing all my data. What are common good practices I can use to manage that risk?
I would suggest that you enable "File and Folder Auditing" within Windows using Local Security Policy:
Start --> All Programs --> Administrative Tools --> Local Security Policy. Expand the Local Security Policy and then select Audit Policy. Not sure if that is what you are looking for.
You can go to the File and Folder level but it will be a lengthy process if your DC is also your file server.
Good luck.
Start --> All Programs --> Administrative Tools --> Local Security Policy. Expand the Local Security Policy and then select Audit Policy. Not sure if that is what you are looking for.
You can go to the File and Folder level but it will be a lengthy process if your DC is also your file server.
Good luck.
ASKER
Thanks for the input. Brings another question to mind: can he turn off what I"ve turned on? Is there something I can turn on that will audit what he is doing, looking at and/or copying and, can I turn that on in a way that he can't turn it off? I don't distrust this guy. I just really want to have accountability in place where my data is concerned.
I would assume that the tech has administrative privileges. If that is the case, he can turn that off at any time!!!
If there are legal obligations between the two parties (you and the tech), I would suggest that you enforce some written working instructions, meaning that every time there is a change made to the system, it has to be documented in details. Also, there must be a "Change Request" for it if changes are required. I work in a larger corporation so changes are different than yours. I would assume that you are a smaller organization so most things are done on the fly. However, if you enforce the common practice or written policy, I am sure that any tech would have to work within the guidelines. Remember, you are the boss and you set the rules!!!
Good luck.
If there are legal obligations between the two parties (you and the tech), I would suggest that you enforce some written working instructions, meaning that every time there is a change made to the system, it has to be documented in details. Also, there must be a "Change Request" for it if changes are required. I work in a larger corporation so changes are different than yours. I would assume that you are a smaller organization so most things are done on the fly. However, if you enforce the common practice or written policy, I am sure that any tech would have to work within the guidelines. Remember, you are the boss and you set the rules!!!
Good luck.
ASKER
Hunart,
Thanks for the added input. Which setting would have to be turned off and if it gets turned off, is there a trail I can find?
Thanks for the added input. Which setting would have to be turned off and if it gets turned off, is there a trail I can find?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
rody: I would not recommend enabling File and Folder auditing unless you really know what you're doing. It can kill a server and you often lose the data you're actually looking for as logs are overwritten.
Yes, an administrator can turn off auditing and clear the audit logs at any time. The only entry that would be left in the audit log is one indicating which user cleared the audit log. That entry will rapidly be lost if you enable File/Folder auditing on a large scale.
You might want to check into 3rd party server monitoring services. Many of them can configure filters to send them certain types of logging information in "realtime" and alert based on various factors.
That said, it really seems like your gut tells you not to trust this guy or you have some pretty hefty secrets worth stealing. There are many reputable consultants out there with their own companies and smaller consulting firms who do this type of work all the time. It's worth paying a bit more to get a professional where there is no doubt in your mind that they're not going to poke through your data. Look for a CISSP certified consultant if nothing else -- they operate by a tough, professional code of ethics considered to be the gold standard in the industry.
Yes, an administrator can turn off auditing and clear the audit logs at any time. The only entry that would be left in the audit log is one indicating which user cleared the audit log. That entry will rapidly be lost if you enable File/Folder auditing on a large scale.
You might want to check into 3rd party server monitoring services. Many of them can configure filters to send them certain types of logging information in "realtime" and alert based on various factors.
That said, it really seems like your gut tells you not to trust this guy or you have some pretty hefty secrets worth stealing. There are many reputable consultants out there with their own companies and smaller consulting firms who do this type of work all the time. It's worth paying a bit more to get a professional where there is no doubt in your mind that they're not going to poke through your data. Look for a CISSP certified consultant if nothing else -- they operate by a tough, professional code of ethics considered to be the gold standard in the industry.
My suggestion is that you make sure auditing of logon events and account logon events (both success and failure) is enabled and review the security event log regularly. Event 528 will show you when a local logon was performed on the server. Event 540 should show up when a network logon is processed on a remote client computer. At least you'll know when he's accessing your systems.
You can enable object auditing of a very limited number of objects without killing performance -- an HR folder, trade secrets folder, etc.
Microsoft offers a free tool -- the baseline security analyzer -- to check on numerous vulnerabilities. That could tell you if there are any glaring holes.
All of those things will leave telltale signs (other audit events, program folders, etc.) the consultant could see and they might well realize you're checking up on them -- just FYI. Good luck!