Link to home
Start Free TrialLog in
Avatar of mmack12
mmack12Flag for United States of America

asked on

Audit File Downloads, Deletes, and changes

I am looking for a solution to do the following:

- Ability to be notified when one of our employees download a large amount of files (suspicious activity).
- In the event a user ever leaves we would like to ability to know what files have been downloaded/deleted/changed and to what location by that specific user.
- This would be something that could stand up in a court of law.

Our environment includes Sharepoint and files are downloaded from this system to local machines. We have "My Document" synchronization. The environment would track approximately 3 Files servers (1 is SharePoint) and 50-75 users (Desktops & Laptops.) Finally, there are a small under 5 users number of users with IPads that might need consideration.

Not sure if I can do this straight thru Windows or if I would need software. Cost is a concern, but not the only factor.
Avatar of vmagan
vmagan
Flag of United States of America image

What version of Windows Server are you using?

you can use file audit in group policy for this but this is another way below to make this work if you are on 2008.

The following steps demonstrate how to set up simple auditing on a folder in Windows Server 2008:

1. Right-click the folder or file on which you want to apply the auditing, and choose Properties.

2. Select the Security tab.

3. Click the Advanced button.

4. Select the Auditing tab.

5. Click the Edit button.

6. Using the Add button, enter all users and groups that will be audited. If you are auditing all users, enter the Everyone group.

7. On the Auditing property page, select all types of access which should be audited. If you are auditing for all success and failure attempts, select all the options.

8. Click OK to apply the settings.

9. Click OK twice to save the settings.

for 2003 try this:

http://support.microsoft.com/kb/310399

ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan

As for the making it legal chain of custody, the log should be digitally signed (for non-repudiation) and forensically store (audit and justified). Not something that is off the shelf but would be towards compliance checks and it is best to engage the selected solution support to check on above. For iPAD, it would be another whole scheme of monitoring the endpoint, but I believe if the above is already audited at backend, the user will be identified and machine name as well, hence probably a simple enforcement is have the device tagged into machine name ... though not full proof.
Avatar of mmack12

ASKER

This seems like great information. I have been in the process of contact these companies. Thank you for your time in putting together thorough.
Avatar of mmack12

ASKER

This answer was the best and most well prepared answers I have received on this site. I hope I continue to get an answers of this quality.