Audit Win2008 R2 to log events of files/folders being deleted : for post-mortem

We have a team of Wintel sysadmins & there has been cases where critical files / folders were
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).

Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.

I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ?  Using
Tripwire is too unwieldy.

Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/ed46b837-007f-474b-9a68-454c7f76f192/how-to-audit-delete-filesfolders-action-on-shared?forum=winservergen
  https://social.technet.microsoft.com/Forums/ie/en-US/3ddf1f64-b103-4b28-a300-b87ef118abab/file-auditing-for-only-deleted-files?forum=winserverfiles

Not too clear on how to avoid "read access" from being logged.

I got a couple of links above.  Next question is how to generate out (is this from event viewer security.evtx ??) into text output
only the "delete events" so that I could email out on daily basis as login to our Production servers is highly restricted.
0
sunhuxAuthor Commented:
>Not too clear on how to avoid "read access" from being logged.
I mean in the 2nd link, the author mentioned he ran into the issue of "read access" got logged:
I did not quite see any solution on how to prevent read access from being logged
0
William MillerInventory/IT ConsultantCommented:
Take a look at this little tool:

http://www.nirsoft.net/utils/folder_changes_view.html

The only downside I would maybe see is that you need to configure for the folders you want to monitor, but it is a free potential solution to your problem.
1
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

sunhuxAuthor Commented:
I did think of various free tools but will need layers of approvals so let's stick to Windows native built-in features
0
William MillerInventory/IT ConsultantCommented:
If you're going native, you're going to have a tough time putting together a concise way to see everything you want to monitor. That said:

https://technet.microsoft.com/en-us/library/cc771070(v=ws.11).aspx

Following that link will step-by-step you through enabling auditing on a folder and how to propagate that out to all sub-folders inside the parent. You'll then use Event Viewer to track the changes. That's where it gets messy because there's no filter on what it tracks.
1
sunhuxAuthor Commented:
Is there a command to extract out from Event Viewer based on certain Event Id ?
Can provide sample command?

I'll have to explore to share a drive over to a PC to send out the output of this command.
0
William MillerInventory/IT ConsultantCommented:
I believe I could do you one better:

https://gist.github.com/TrimIdeas/b40ccae0fe9b9d6f1a27

Unfortunately, this Git isn't really actively developed anymore so you'll have to likely make some tweaks to the script for your own specific purpose.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.