Link to home
Start Free TrialLog in
Avatar of maureen99
maureen99Flag for United States of America

asked on

Files disappearing from server, should I audit?

Hello,

When I came in this morning, files on the root of a specific share were gone.  Not folders, only files and not hidden files.  This share is publicly accessible to everyone in our organization.

Someone requested a few files and I restored them.  Within a few hours, those files were also gone.  We have had incidents before where someone had actually deleted files from this particular share.

Should I turn on auditing to see what is happening?  I am presently looking at this article:
How to set up and manage operation-based auditing for Windows Server 2003, Enterprise Edition: http://support.microsoft.com/kb/325898

Any help is greatly appreciated!

Thanks,

Maureen
ASKER CERTIFIED SOLUTION
Avatar of tstritof
tstritof

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of maureen99

ASKER

thanks,

I am seeing entries adding up in the event log.   I like your idea however and I may give it a try, thanks alot!

Maureen
Avatar of tstritof
tstritof

You're welcome.

When (if) files get deleted, look for event ID 560. It's an event logged in Windows Server 2003 when process obtains a handle to the object, and in event description you should be able to find all you need: user, filename and access type (Accesses property - usually DELETE if file is accessed for deletion). Unfortunately since this is a Windows Server 2003 there's not much you can do in terms of smart filtering in event log.

Regards,
Tomislav