Using WK3 SBS is there a way to prove someone copied files from a shared folder to a personal device without 3rd party software, Copied to device not accessible

Previous to my involvement in this, an ex employee supposedly copied very important, propriotary files to his laptop.  now that he has resold the data, the task to prove he took it fell upon me.  They have a Serve 2003 SBS with Active Directory setup.  They were not properly restricting data with security groups but did have shared folders setup.  I am pretty sure, but want to make sure, that there is no way to prove this was done, or even what files this was done to.  

Also, this happened 9 months ago, yeah, I know.

What steps can be taken to track this in the future, Obviously security groups and restrictions are in place now, but even trusted employees could do this, so what can be used to prove it after the fact?

Thank youfor your assistance.
viper222Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bhnmiCommented:
Auditing can log file access. But can not tell you where it was moved to (I believe). Also has to be enabled first.
0
viper222Author Commented:
Yeah, nothing was turned on by anyone before they called me to handle this.  I am still open for any answer but I guess if it is not an option, then I should provide points for what to use for this type of information for  the future.
0
bhnmiCommented:
I mean if it is actually proprietary data and he signed none discloser forms you should still be able to take action.
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

viper222Author Commented:
It was data that is able to be put into a list and sold in that format, so the law enforcment people are saying that even though we have an email with him stating that "he had it due to lack of security on the folders" we have to prove that he did actually take it, since what he sold was just a list of contacts and misc. information.

This is why they asked us.  See, we wet in about 4 months ago and locked down his data, setup security groups and what not, but prior to this, the bafoon (is thst how you spell that?) that set the network up just gave full access to "Everyone" for all folders on the server.  So that is where we stand right now.
0
bhnmiCommented:
Well, at lest it wont happen again!
0
Michael WorshamStaff Infrastructure ArchitectCommented:
Under SBS 2003, check under the EventLog (if it dates back that far) to see if there were any type of success or failures for file access. Certain filter rules are enabled by default (usually by the system) , so it can't hurt to look.

0
viper222Author Commented:
I looked at the event log, it only goes back about 3 weeks for security, longer in othe areas, but nothing helpful in those areas
0
Brian PiercePhotographerCommented:
In short nothing much you can do this far down the line, even if auditing was enabled the logs won't go bak that far - and in any case they won't prove a file was copied - just accessed. Consider using Information Rights Management if you have valuable data. see http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
At this point, there's no way you're going to be able to prove it on your end.  Security is a matter that needs to be taken seriously yet most small businesses simply refuse to do so until something like this happens.  What needs to be done now (and perhaps you've taken several steps towards this) is to implement policies and procedures so that employees only have access to the data that they need.  They only use the computers that they need to use.  This may mean (somewhat) expensive hardware and software that must be purchased to ensure that another user can't just plug their laptop into the network and access files with his or her user name.  Yes, this software can be expensive... so you need to decide just what that data is worth and protect it to that level.  OR be willing to let this happen again if a knowledgeable employee comes along with such intent.
0
viper222Author Commented:
Thank you all.  Yes, we have implemented security policies, locked down their Wi-Fi, including MAC filtering (yeah, I know) setup MAC filtering on the Router to help protect from unauthorized PCs, Actually Used group policies to block all access to drives and removable drives on the PC with the exception of the Mapped Server Drive, and setup folder security.  The only thing we can't really protect without something else is the "trusted" employees that have access to files, but choose to take them.

I awarded points to bhnmi and mwecomputers for constructive answers, even though they were already covered.  I gave points to leew because I feel this is useful for other people that may read this to make note of what should be looked at, and I gae the majority of the points to KCTS because I did not even consider IRM but will now be researching this and most likely deploying.

That being said, thank you all for your time and answers.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.