Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Help with auditing file deletion on Windows Server 2012

Posted on 2014-04-23
3
Medium Priority
?
6,101 Views
Last Modified: 2014-04-29
I have followed the directions in the link below to turn on auditing.

http://social.technet.microsoft.com/Forums/en-US/971e24e2-462e-41a8-a8ba-e39140508dc7/how-can-track-who-deleted-filefolder-from-windows-server-2008?forum=winserverfiles

I am having a couple of issues with this.

First, since I enabled auditing on a test share, the necessary events are not showing up in the security log. I attached a picture of the audit tab I setup on the folder I am trying to test. Please let me know if there is anything wrong here.

I also have auditing turned on in the GP security audit policy. I attached that as well. Please let me know if this is correct or not.

This server was just installed last year and I don't remember turning auditing on for any other folders but for some reason, the security log fills up with several event logs per second and it fills the log so fast that it is a huge pain to search through. I also tried using a filter to look for events 560 or 564 to try and find the file I deleted to test but that log was not there.

What am I missing? How can I make an even occur when a file or folder is deleted and how do I cut down on the number of events happening in the security log?

This is for a 2012 windows server.

Thanks,

Justin
EE.JPG
ee1.JPG
0
Comment
Question by:JustinGSEIWI
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 1000 total points
ID: 40017742
Check for event 4660, event ID numbers changed after 2008.

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=564

Notice th corresponding events section.

Is that GPO applying to the machine?

Thanks

Mike
0
 

Author Comment

by:JustinGSEIWI
ID: 40017815
Thank you for the reply.

I looked for event 4660 and found it. It did say an object was deleted but it did not say which file. I looked around and found that event 5145, 4656, and 4663 also showed a deletion and each of those showed the file and path. So that means it is working, I just need to setup auditing on the share now instead of my test folder.

How do I determine why several events a second are coming in. Most of it is not related to the deleted files I want to track. Are those necessary or can all of the excess events be turned off? It makes it hard to find file deletions.

I attached a file showing that the policy is applying to the domain controller that hosts the share. I just noticed other audit policies turned on as well, are these the items filling up the security log? If so, can I turn them off or are they needed?

Justin
ee3.JPG
0
 
LVL 5

Assisted Solution

by:Pankaj_401
Pankaj_401 earned 1000 total points
ID: 40019373
Hi Justin,
Lot of good suggestion I see at here and some of them looks good to resolve your concern. please check this link.
However, you can select the permission that you want to audit such as "delete" in this case after that we can determine that by check the auditing events log.
Here is how it can be configured : http://technet.microsoft.com/en-us/library/dn319056.aspx
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question