?
Solved

How can I audit who has accessed certain files on a Windows 2003 Server?

Posted on 2009-12-30
8
Medium Priority
?
492 Views
Last Modified: 2012-05-09
We had a security hole here that inadvertently caused some drives to be accessible by the entire company. We locked it down, but want to see if anyone may have attempted to open these files and/or copy them. Unfortunately, file auditing was not turned on. Is there any type of trail we could look at to see if there is any temp data left behind? They are mostly MS Word and Excel files. There's about 60 users and computers, so I can go into each computer and look if I need to. Does anyone know the best way to go through and try to track this down?
0
Comment
Question by:ryanmnly
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 31

Accepted Solution

by:
Henrik Johansson earned 1004 total points
ID: 26144961
If auditing wasn't enabled, the answer is no.
0
 

Author Comment

by:ryanmnly
ID: 26145078
What about temp files from the Office applications themselves? Do they reside for a certain amount of time in a temp directory?
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 1004 total points
ID: 26145107
Temporary files for Office are normally deleted when file is closed.
If auditing wasn't enabled, you will not see any trace if someone has copied the file to somewhere else like a removable drive (USB etc) and open it from the new location.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Assisted Solution

by:Rene-Stolker
Rene-Stolker earned 332 total points
ID: 26152711
There is a way to trace this because every fileaccess is monitored by your local explorer.

0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 1004 total points
ID: 26152895
The last access timestamp of the file in filesystem isn't a proof that anyone has opened the file as the attribute will also be updated when only displaying file properties (right-click->properties).
The attribute will not be updated when copying the file to another location like a removable drive.
If last access timestamp of the file is updated, it will only be the timestamp without trace of who actual accessed it.
0
 
LVL 7

Assisted Solution

by:Phateon
Phateon earned 664 total points
ID: 26388220
Plus, it might not be feasible as you will have to audit each and every PC in your company.
0
 
LVL 7

Assisted Solution

by:Phateon
Phateon earned 664 total points
ID: 26471124
In addition to my comment above, incase you use Office Enterprise 2007, you might find information about about the files accessed using logs in eventvwr.msc and Microsoft Office Sessions if used with RDP.
0
 

Author Closing Comment

by:ryanmnly
ID: 31695653
Doesn't look like there is a solution to what I needed to do. I went ahead and took everyone's answers as acceptable replies.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question