Solved

Files disappearing from server, should I audit?

Posted on 2010-11-15
3
593 Views
Last Modified: 2012-06-22
Hello,

When I came in this morning, files on the root of a specific share were gone.  Not folders, only files and not hidden files.  This share is publicly accessible to everyone in our organization.

Someone requested a few files and I restored them.  Within a few hours, those files were also gone.  We have had incidents before where someone had actually deleted files from this particular share.

Should I turn on auditing to see what is happening?  I am presently looking at this article:
How to set up and manage operation-based auditing for Windows Server 2003, Enterprise Edition: http://support.microsoft.com/kb/325898

Any help is greatly appreciated!

Thanks,

Maureen
0
Comment
Question by:maureen99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
tstritof earned 500 total points
ID: 34139209
Hi,

my post isn't strictly technical, but if you need specific help on auditing feel free to ask.

When auditing object access you can detect any action on an object by either anyone or a specific group of users. However - to audit an allowed deletion of a file (this is currently your situation) would require you to audit successful object actions. That can quickly fill up your security logs by loads of collateral events. That is because many system objects have auditing enabled by default and get busy logging immediately after you activate the policy.

A bit more "devious" and less event log expensive way would be to activate the policy to log only failures (significantly lower number of events), place a set of "bate" files on the share, and then allow the deletion only to yourself. That way if someone other than you tries to delete the file, they will get access denied, plus you will get the deletion attempt (failed) logged in security log.

If this is being done inadvertantly by a person (like someone using cut instead of copy) than they'll probably complain to you because they can't do what they want. If this is done on purpose then you will probably have harder time catching the culprit since they will be warned off by access denied message (however at least one failure will be logged). And if it's done by malware then you'll have events overflowing your log.

Regards,
Tomislav
0
 

Author Comment

by:maureen99
ID: 34147753
thanks,

I am seeing entries adding up in the event log.   I like your idea however and I may give it a try, thanks alot!

Maureen
0
 
LVL 7

Expert Comment

by:tstritof
ID: 34149155
You're welcome.

When (if) files get deleted, look for event ID 560. It's an event logged in Windows Server 2003 when process obtains a handle to the object, and in event description you should be able to find all you need: user, filename and access type (Accesses property - usually DELETE if file is accessed for deletion). Unfortunately since this is a Windows Server 2003 there's not much you can do in terms of smart filtering in event log.

Regards,
Tomislav
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Alert on Server memory 2 55
Configuring DAG with different CU level ? 6 66
windows Server 2003 in 2017 10 111
endpoint protection and patch status - SCCM 3 72
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question