Re: How to trace a deleted file on a server by a user
From: Vera Noest [MVP] (vera.noest_at_remove-this.hem.utfors.se)
Date: 09/24/04
- Next message: Vera Noest [MVP]: "Re: Roaming and local profiles"
- Previous message: SuderMan: "Roaming and local profiles"
- In reply to: Erwin Ras: "Re: How to trace a deleted file on a server by a user"
- Next in thread: Kevin Bowersock: "Re: How to trace a deleted file on a server by a user"
- Reply: Kevin Bowersock: "Re: How to trace a deleted file on a server by a user"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 24 Sep 2004 13:59:38 -0700
Did you have auditing of security events (especially logon and
logoff events) turned on when this happened? That would at least
give you a list of everyone who was logged on during the time this
happened.
If you didn't have security auditing enabled, I don't think there
is much more that you can do to find out who messed up.
Did you make a full backup of your system immediately after the
file loss was discovered? If so, you could have a look at the time
stamps of every user profile, which could tell you when users were
last logged in. That could at least rule out some suspects.
I have no personal experience with any 3th party software, but if
you google for "auditing software" I'm sure you find lots of them.
But I doubt very much if anything can be found out about past
incidents. And again, be prepared for a performance hit if you
want to audit every single file operation.
--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
"Erwin Ras" <anonymous@discussions.microsoft.com> wrote on 24 sep
2004 in microsoft.public.win2000.termserv.apps:
> Thank you for the information, I understand your point,
> but it's the boss decicion and I think you understand
> that. There might one administrator that could cause the
> blunder, but we have to find out.
> Besides do you know one program that might help!
>>-----Original Message-----
>>Not after the fact has already happened.
>>The only way to trace such events is to enable security
> auditing
>>on the server, and then enable it on the specific files.
> But since
>>you don't know before it happens *which* files you want
> to audit,
>>you would have to audit them all. The impact this has on
> the
>>performance of the server makes this unrealistic, as far
> as I
>>know.
>>There is certainly a bunch of 3th party software out
> there which
>>can help.
>>
>>Personally, I would spend less time in finding the user
> who did
>>it, and more time in securing my file system. With proper
> NTFS
>>permissions, this wouldn't have happened in the first
> place
>>(unless an Administrators messed up).
>>
>> --
>>Vera Noest
>>MCSE,CCEA, Microsoft MVP - Terminal Server
>>http://hem.fyristorg.com/vera/IT
>>*----------- Please reply in newsgroup -------------*
>>
>>"Erwin Ras" <anonymous@discussions.microsoft.com> wrote
> on 24 sep
>>2004:
>>
>>> Well we got some smart guys who got access to some
>>> application files on a terminal server and delete those
>>> files. Now we would like to know if there is a way that
> we
>>> can trace who did it.
>>>
>>> Is there any program or utilities that we can use to
> trace
>>> the deletion.
>>>
>>> The files deleted were most of the office application
> and
>>> Project.
>>>
>>> regards
>>>
>>> Erwin
- Next message: Vera Noest [MVP]: "Re: Roaming and local profiles"
- Previous message: SuderMan: "Roaming and local profiles"
- In reply to: Erwin Ras: "Re: How to trace a deleted file on a server by a user"
- Next in thread: Kevin Bowersock: "Re: How to trace a deleted file on a server by a user"
- Reply: Kevin Bowersock: "Re: How to trace a deleted file on a server by a user"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
