Audit File Downloads, Deletes, and changes

I am looking for a solution to do the following:

- Ability to be notified when one of our employees download a large amount of files (suspicious activity).
- In the event a user ever leaves we would like to ability to know what files have been downloaded/deleted/changed and to what location by that specific user.
- This would be something that could stand up in a court of law.

Our environment includes Sharepoint and files are downloaded from this system to local machines. We have "My Document" synchronization. The environment would track approximately 3 Files servers (1 is SharePoint) and 50-75 users (Desktops & Laptops.) Finally, there are a small under 5 users number of users with IPads that might need consideration.

Not sure if I can do this straight thru Windows or if I would need software. Cost is a concern, but not the only factor.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What version of Windows Server are you using?

you can use file audit in group policy for this but this is another way below to make this work if you are on 2008.

The following steps demonstrate how to set up simple auditing on a folder in Windows Server 2008:

1. Right-click the folder or file on which you want to apply the auditing, and choose Properties.

2. Select the Security tab.

3. Click the Advanced button.

4. Select the Auditing tab.

5. Click the Edit button.

6. Using the Add button, enter all users and groups that will be audited. If you are auditing all users, enter the Everyone group.

7. On the Auditing property page, select all types of access which should be audited. If you are auditing for all success and failure attempts, select all the options.

8. Click OK to apply the settings.

9. Click OK twice to save the settings.

for 2003 try this:

btanExec ConsultantCommented:
Ideally, to detect such potential abuse of user privilege and anomaly, it will be best achieve with a user behaviour based monitoring solution. This should be complemented by effective security audit logs, reliable centralized collection of security logs and automated analysis of the security logs to identify anomaly signatures. This would be accomplished with layers of monitoring mechanism such as

a) Windows Audit log - minimally to leverage on the inherent OS audit support. You should check out the object access audit. Configure audit settings only on high-value folders through SACLs and audit only the minimum number of types of accesses that you are interested in. But these are just logging of access to those files and is not enough to trigger anomalous event alerts automatically. There is some need for correlation rule or minimally there is centralised view in monitoring. You may want to consider Snare or Splunk to set rule for trigger (as they pull in the log generated at the server end)


In particular, Windows SharePoint Services 3.0 and Microsoft Office SharePoint Server 2007 provide support for auditing user access to pages, content, and documents, and include auditable events such as viewing and updating. While Windows SharePoint Services provides the basic auditing mechanisms, Office SharePoint Server 2007 adds value by supplying an administrative user interface that allows auditing at the site collection level. Office SharePoint Server 2007 goes even further and enables auditing at the list or document library level, and control over what types of events should be recorded in the audit log.


b) Security Information and Event Management (SIEM) based solution to correlate network, server and endpoint logs configured to be collected. There is quite a fair amount of solution available but can be steep though. Example include Netwitness Informer, Courion's User Activity Manager, ArcSight IdentityView and McAfee Network User Behavior Analysis


There are also open source available but not rather based on user behaviours. They are geared more towards endpoint "health" irregularity detection (or incident response) specific like OSSEC and OSSIM.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
As for the making it legal chain of custody, the log should be digitally signed (for non-repudiation) and forensically store (audit and justified). Not something that is off the shelf but would be towards compliance checks and it is best to engage the selected solution support to check on above. For iPAD, it would be another whole scheme of monitoring the endpoint, but I believe if the above is already audited at backend, the user will be identified and machine name as well, hence probably a simple enforcement is have the device tagged into machine name ... though not full proof.
mmack12Author Commented:
This seems like great information. I have been in the process of contact these companies. Thank you for your time in putting together thorough.
mmack12Author Commented:
This answer was the best and most well prepared answers I have received on this site. I hope I continue to get an answers of this quality.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Analysis

From novice to tech pro — start learning today.