Audit Win2008 R2 to log events of files/folders being deleted : for post-mortem

sunhux
sunhux used Ask the Experts™
on
We have a team of Wintel sysadmins & there has been cases where critical files / folders were
accidentally deleted & we need to trace who/what deleted it : not logins to all server are
video-recorded (by tools like Privilege Access Manager or Cyberark).

Not too conversant with setting up Tripwire to monitor as it ended up thousands of lines were
logged daily : too many irrelevant or false positives.

I know in Unix ACL, we can set ACLs on certain files/folder to log to audit trail if files got deleted.
Can provide step by step instructions on how this can be done in Windows 2008 R2 ?  Using
Tripwire is too unwieldy.

Will be good to provide the option of configuring locally (if I plan to do it only for a few servers)
as well as via GPO (if I plan to do it on a big number of servers)
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
https://social.technet.microsoft.com/Forums/windowsserver/en-US/ed46b837-007f-474b-9a68-454c7f76f192/how-to-audit-delete-filesfolders-action-on-shared?forum=winservergen
  https://social.technet.microsoft.com/Forums/ie/en-US/3ddf1f64-b103-4b28-a300-b87ef118abab/file-auditing-for-only-deleted-files?forum=winserverfiles

Not too clear on how to avoid "read access" from being logged.

I got a couple of links above.  Next question is how to generate out (is this from event viewer security.evtx ??) into text output
only the "delete events" so that I could email out on daily basis as login to our Production servers is highly restricted.

Author

Commented:
>Not too clear on how to avoid "read access" from being logged.
I mean in the 2nd link, the author mentioned he ran into the issue of "read access" got logged:
I did not quite see any solution on how to prevent read access from being logged
Commented:
Take a look at this little tool:

http://www.nirsoft.net/utils/folder_changes_view.html

The only downside I would maybe see is that you need to configure for the folders you want to monitor, but it is a free potential solution to your problem.
Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Author

Commented:
I did think of various free tools but will need layers of approvals so let's stick to Windows native built-in features
Commented:
If you're going native, you're going to have a tough time putting together a concise way to see everything you want to monitor. That said:

https://technet.microsoft.com/en-us/library/cc771070(v=ws.11).aspx

Following that link will step-by-step you through enabling auditing on a folder and how to propagate that out to all sub-folders inside the parent. You'll then use Event Viewer to track the changes. That's where it gets messy because there's no filter on what it tracks.

Author

Commented:
Is there a command to extract out from Event Viewer based on certain Event Id ?
Can provide sample command?

I'll have to explore to share a drive over to a PC to send out the output of this command.
Commented:
I believe I could do you one better:

https://gist.github.com/TrimIdeas/b40ccae0fe9b9d6f1a27

Unfortunately, this Git isn't really actively developed anymore so you'll have to likely make some tweaks to the script for your own specific purpose.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial