Windows security

[craqon]

Hey all

I am suspecting a malicious user on one of my networks. Someone is deleting my files. Every month or so a directory or so just goes missing.

I have a full backup set that lasts for 6 months, and then we do copys of all data every day that can take us back 2 months.

The data consists of numerous databases and office files, up to 20G of Word docs.

Now this network consists of about 50 users.

Are there any way of logging who deleted files at what time for a Windows 2003 server?

Or 3rd party apps?



__
I don't have to body of Superman, or the agility of Spiderman, or the brains of Dr. Doom, but I do lick like Lassy.

 

[riser]

Enable auditing.
(2003) Off top of my head..
Go in on your server, right click on the drive/folder you want to audit (you can select multiple folders).
Select Sharing - Advanced - Auditing - Add the user group (domain users) and you can pick from the list of what you want to audit..
Like deleting, saving, etc. Successful or failed.. Sucessful meaning someone did delete something, failed means they tried but access was denied.

You'll have to enable auditing in the group policy also.

For 2000: http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/windows2000/en/server/iis/htm/core/iimacsc.htm

 

[craqon]

Great stuff

I missed that one. I'll test tonight.

The malicious user is my ex girlfriend. Never mix bussiness with pleasure... And the strangest is that she left me.

__
I don't have to body of Superman, or the agility of Spiderman, or the brains of Dr. Doom, but I do lick like Lassy.

 

[riser]

Or you could deny her rights.. remove admin privs from her domain account. But I doubt that'll help since I have rarely seen people use the Ownership feature.

If she's deleting things and causing you a headache, that auditing will be a charm and you can track everything she's doing on your network. Hey, if you're vengeful you can always get her fired.

At my last job, everyone sucked up to us because they knew we could look at everything they've done. Not that is was a power trip on our part, but we had sensitive data and along with that comes the nonsensitive stuff that was tracked.

Your best bet is to put auditing on her particular account.. or you can just do an entire drive.

The problem is you're going to get stuck drudging neck deep in a list of events that are all fine until you see something that isn't right. It won't be flashing or anything.
It'll be like "UserXXX deleted directory XYZ on May 1st, 2005 at 14:24pm."
But maybe 3 events earlier that user might have accidently created that directory.. you'll see when you look through an audit log. Your best bet is to save the logs on a weekly basis.. that way you can go through and track down which week something was removed. Daily was be tedious, monthly would be too much information at once.

 

[sobelizard]

Just post nude pics of her on the internet.

<b><i>Powered by <font color=blue>V</font color=blue><font color=purple>E</font color=purple><font color=red>R</font color=red><font color=purple>T</font color=purple><font color=blue>O</font color=blue></b>
Fueled by <b><font color=blue>CL-</font color=blue><font color=red>ONE</font color=red></b>

 

[craqon]

Got some vids of her taking a shower. She was rather hot.

Won't make a diff now though. Already buried her and planted a rosegarden on that spot in the garden... Way easier than securing a server...

__
I don't have to body of Superman, or the agility of Spiderman, or the brains of Dr. Doom, but I do lick like Lassy.