magnusthorne
asked on
Monitor deleted files
I have a Windows 2003 file server. Once every few months an important directory is being deleted. How to I configure file level monitoring on the directory, so I know who is deleting it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to enable auditing, see here for how: http://support.microsoft.com/kb/310399
How about make the directory itself read only or even read\write but remove the ability to delete it.
There are ways but not always the easiest to dig up\through; you need to enable auditing:
https://www.experts-exchange.com/questions/22104829/Auditing-files-in-Windows-2003-and-Windows-2000.html
https://www.experts-exchange.com/questions/22631265/Auditing-Windows-2003-Server-file-folder-deletions.html
right click on the folder, go to sharing and security, then security tab, at the bottom click on advanced. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.
To track file deletion you would enable:
Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail
Once thats done Windows will log all the information in the security event log
There are ways but not always the easiest to dig up\through; you need to enable auditing:
https://www.experts-exchange.com/questions/22104829/Auditing-files-in-Windows-2003-and-Windows-2000.html
https://www.experts-exchange.com/questions/22631265/Auditing-Windows-2003-Server-file-folder-deletions.html
right click on the folder, go to sharing and security, then security tab, at the bottom click on advanced. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.
To track file deletion you would enable:
Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail
Once thats done Windows will log all the information in the security event log
This article too http://support.microsoft.com/kb/814595/en-us
I could find a way to tell you who was deleting the file, but then to find out who the culprit is you have to experience the problem and associated inconveniences again. Instead, I would DENY (in advanced security settings under the permissions tab for the directory in question) to "Delete" and "Delete Subfolders and Files" to everyone except for one or two "trusted accounts" or a trusted group. Then go into "Local Security Policy" and edit the Local Security Settings | Local Policies | Audit Policy | Audit Object Access. Open the Audit Object Access window and set the policy to "Audit Failure Attempts" only. This will accomplish three things:
1) The problem will not recur unless the problem is a trusted individual
2) When someone attempts to delete this directory in the future they will be denied access and the audit object access failures will catch it.
3) Your logs will not fill up quickly because your only auditing failures and not successes.
Hope this helps
1) The problem will not recur unless the problem is a trusted individual
2) When someone attempts to delete this directory in the future they will be denied access and the audit object access failures will catch it.
3) Your logs will not fill up quickly because your only auditing failures and not successes.
Hope this helps
as mentioned before you could do auditing, however the first port of call is to see who has permission to that file and ensure that only people who need delete ability have it. MS shadow copy might also help you with the restoring previous versions...