Solved

Determine who last modified a file on a Windows 2000 server or a Linux or Unix server

Posted on 2006-06-24
13
792 Views
Last Modified: 2013-11-15
We had a problem occur last week where one on the critical files on our web server was changed and broke links on the main page.  I was able to fix the problem and determine when and where the problem occurred in the file, but I don’t know of any place in Windows 2000 server that would tell me who modified a file last.  One person I spoke to seems to think this is possible in either Unix or Linux, but others I spoke to say it is not.  They say you can only determine who had permissions to change the file, but not who actually changed it.  Do you know if this is correct?

This occurs occasionally and is not done by people with a lot of computer expertise so they typically would be doing this by accident, not intentionally, and the user would not be trying to hide what they did.  Unfortunately, no one seems to want to admit they caused the problem.  My interest is getting the problem narrowed down and getting the person some training so they don't do it again.  
0
Comment
Question by:ETC-Staff
  • 3
  • 2
  • 2
  • +3
13 Comments
 
LVL 22

Accepted Solution

by:
pjedmond earned 500 total points
ID: 16975745
As always, it depends on the level of logging you allow! The more logging you configure, then the greater the amount of processing required by the logging process.

In reality, unless you are doing trouble shooting on a Windows machine, you can only see who has permissions to alter the file, and when it was altered.

A similar situation exists with the default samba (linux filesharing) log level, although this likewise can be increased to a level that you can see almost everything.

So in your case, chances are tht you can only see who had permissions to alter the files concerned (perhaps narrowed down slightly by looking at who had logged on in that time period).

If you need something to carry out the necessary logging, then the Enterprise Version of  Track For Win logs this information quite nicely:

http://www.track4win.com/ent/

(   (()
(`-' _\
 ''  ''



0
 
LVL 4

Author Comment

by:ETC-Staff
ID: 16975772
Would this also be true for Unix?  Is there any operating system that could be set up to trac these changes?
0
 
LVL 4

Author Comment

by:ETC-Staff
ID: 16975845
We are in the process of moving the web server to a new machine so the possibility of changing to another OS or web server exists.  Before I ask for money for a third pary product, I just need to be able to say for sure that we can't determine who modified a file by setting up features in the OS itself.  Is this correct for Unix, Linux, and Windows.  Is there any other OS that would do this?  
0
 
LVL 22

Expert Comment

by:pjedmond
ID: 16975865
Absolutely - as mentioned track4win will do the tracking for windows.

With samba, on linux (any *nix), you can turn up the logging level on samba to 3 or above. *WARNING* this has a significant impact on performance. (Having said that, many  smaller companies don't get the processor use above 20% on their linux fileservers, so this may not be an issue?) See here for a little more info on samba logging:

http://www.oreilly.com/catalog/samba/chapter/book/ch04_08.html

Samba logging isn't that 'obvious' in that the file is not identified by name, but rather by number, but all the information is there to be able to trace the culprit.

(   (()
(`-' _\
 ''  ''
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 16975952
ETC-Staff,

You need to understand that unlike Windoze, which locks you into a specific technology, both Linux and most UNIX platforms support many different filesystems - for example, UFS, EXT2, EXT3, Reiser, NSS, JFS and many more. And it is the *filesystem* that determines the tracking capability. Sometimes, as we see with SAMBA, the access method can also be used. You also need to understand that there is not one "UNIX" - UNIX is a general OS design, not a singular operating system.

Beyond relying on filesystem or access method logging to keep track of who alters files when, you can also use an auditing tool. Some OSes include them, they are add-ons for others.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16976093
Windows can track these changes if you enable file auditing.
0
 
LVL 4

Author Comment

by:ETC-Staff
ID: 16976323
Thanks for all the comments.  I am just referring to the systems as unix and linux in the generic sense.  I do realize there are different versions of all of these,  I am not a network admin, but I can turn this over to our network admin to investigate.  I just want to be able to point him in the right direction.  The folks I have talked to so far have told me they think it can be done, but haven't done it themselves and can't be anymore specific than that.  We are considering changing platforms as we move the web server so I appreciate all the comments.   This is for a university so I am trying to keep the costs down as funds are very tight this year.  So purchasing any commercial add ons will need some pretty good justification.  I have tried to run this web server with minimum interference from me, but it has become very large and it is apparent we need some more control or to at least know what exactly is going on with some of the files.  We have quite a few "web maintainers" on the system.  For the most part, this has worked very well, but now we need to make some changes.

We are using Windows 2000 Server.  I only found "file auditing" mentioned once in the help when I did a search.  I didn't see how it is turned on.  Can you help me with that?  Thanks.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16976328
0
 
LVL 6

Expert Comment

by:engineer_dell
ID: 16976538
Hello ETC Staff

References for w2k auditing
http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html
http://labmice.techtarget.com/troubleshooting/EventLog.htm
http://support.microsoft.com/?kbid=300549

Here you can find 3rd party free file integrity tools
http://www.honeypots.net/ids/integrity-management
http://www.networkintrusion.co.uk/integrity.htm
http://www.sysinternals.com/Utilities/Filemon.html
http://www.contactplus.com/products/freestuff/monidir.htm

I like GFI LANguard Security Event Log Monitor (S.E.L.M.) - performs event log based intrusion detection and network-wide event log management. Monitor users attempting to access secured shares and confidential files; Monitor critical servers and create alerts for specific events and conditions occurring on your network; Back up and clear event logs automatically on remote machines; Detect attacks using local user accounts
http://www.gfi.com/lanselm/

Regards,
Engineer_Dell
0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 16981477
if you give windows, unix or linux users permissions to access the root of the C drive OR the OS folders, or the folder where the crucial file exists, then YES, and one of them could accidently corrupt ANY file in those folders where they have permissions to access.  You need to be more restrictive of permissions on the file server, not go on a long hunt.

Review all user permissions for ALL directories on the file server.  Do not allow root access for ordinary users, nor access to the windows or OS folders.  Limit their access to thier working directories, and keep ALL KEY system or crucial files inaccessible to ordinary users.  This is the RIGHT way to solve the problem.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now