[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 242
  • Last Modified:

Using WK3 SBS is there a way to prove someone copied files from a shared folder to a personal device without 3rd party software, Copied to device not accessible

Previous to my involvement in this, an ex employee supposedly copied very important, propriotary files to his laptop.  now that he has resold the data, the task to prove he took it fell upon me.  They have a Serve 2003 SBS with Active Directory setup.  They were not properly restricting data with security groups but did have shared folders setup.  I am pretty sure, but want to make sure, that there is no way to prove this was done, or even what files this was done to.  

Also, this happened 9 months ago, yeah, I know.

What steps can be taken to track this in the future, Obviously security groups and restrictions are in place now, but even trusted employees could do this, so what can be used to prove it after the fact?

Thank youfor your assistance.
0
viper222
Asked:
viper222
4 Solutions
 
bhnmiCommented:
Auditing can log file access. But can not tell you where it was moved to (I believe). Also has to be enabled first.
0
 
viper222Author Commented:
Yeah, nothing was turned on by anyone before they called me to handle this.  I am still open for any answer but I guess if it is not an option, then I should provide points for what to use for this type of information for  the future.
0
 
bhnmiCommented:
I mean if it is actually proprietary data and he signed none discloser forms you should still be able to take action.
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
viper222Author Commented:
It was data that is able to be put into a list and sold in that format, so the law enforcment people are saying that even though we have an email with him stating that "he had it due to lack of security on the folders" we have to prove that he did actually take it, since what he sold was just a list of contacts and misc. information.

This is why they asked us.  See, we wet in about 4 months ago and locked down his data, setup security groups and what not, but prior to this, the bafoon (is thst how you spell that?) that set the network up just gave full access to "Everyone" for all folders on the server.  So that is where we stand right now.
0
 
bhnmiCommented:
Well, at lest it wont happen again!
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Under SBS 2003, check under the EventLog (if it dates back that far) to see if there were any type of success or failures for file access. Certain filter rules are enabled by default (usually by the system) , so it can't hurt to look.

0
 
viper222Author Commented:
I looked at the event log, it only goes back about 3 weeks for security, longer in othe areas, but nothing helpful in those areas
0
 
KCTSCommented:
In short nothing much you can do this far down the line, even if auditing was enabled the logs won't go bak that far - and in any case they won't prove a file was copied - just accessed. Consider using Information Rights Management if you have valuable data. see http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
At this point, there's no way you're going to be able to prove it on your end.  Security is a matter that needs to be taken seriously yet most small businesses simply refuse to do so until something like this happens.  What needs to be done now (and perhaps you've taken several steps towards this) is to implement policies and procedures so that employees only have access to the data that they need.  They only use the computers that they need to use.  This may mean (somewhat) expensive hardware and software that must be purchased to ensure that another user can't just plug their laptop into the network and access files with his or her user name.  Yes, this software can be expensive... so you need to decide just what that data is worth and protect it to that level.  OR be willing to let this happen again if a knowledgeable employee comes along with such intent.
0
 
viper222Author Commented:
Thank you all.  Yes, we have implemented security policies, locked down their Wi-Fi, including MAC filtering (yeah, I know) setup MAC filtering on the Router to help protect from unauthorized PCs, Actually Used group policies to block all access to drives and removable drives on the PC with the exception of the Mapped Server Drive, and setup folder security.  The only thing we can't really protect without something else is the "trusted" employees that have access to files, but choose to take them.

I awarded points to bhnmi and mwecomputers for constructive answers, even though they were already covered.  I gave points to leew because I feel this is useful for other people that may read this to make note of what should be looked at, and I gae the majority of the points to KCTS because I did not even consider IRM but will now be researching this and most likely deploying.

That being said, thank you all for your time and answers.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now