Re: Auditing file deletion

---

• From: Dana Epp <dana@xxxxxxxxxxx>
• Date: Fri, 07 Apr 2006 01:06:14 GMT

---

If this is a one off situation, you can use something like Sysinternal's FileMon (http://www.sysinternals.com/Utilities/Filemon.html), or even Tripwire (http://www.tripwire.com/) to watch for the file deletions. You won't have to wade through the tonnes of audit logs, but have to set filters to watch the activity you care about.

A non-MS way to go about it, but if this is a one off situation its faster than fretting about object access auditing.

---
Regards,
Dana Epp [Security MVP]
http://silverstr.ufies.org/blog/

NickC wrote:

Thanks Steven,

The problem is that hundreds of other Object Access events get logged, not just the file and directory deletions.

Nick


"Steven Zhu [MSFT]" <v-stezhu@xxxxxxxxxxxxxxxxxxxx> wrote in message news:Dsc3KnSWGHA.3700@xxxxxxxxxxxxxxxxxxxxxxxx

Hi Nick,

Thanks for posting here.

From your post, my understanding on this issue is: you configure auditing
for some file and directory deletions, but you cannot seem any log
regarding this in the security event log. If I am off base, please feel
free to let me know.

Based on my knowledge, if you want to configure auditing for file and
directory deletions, please enable Audit Object Access success/failure in
Default Domain Controllers Policy. To do so, please refer to the following
steps:

1. Click Start, point to Programs, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. On the View menu, click Advanced Features.
3. Right-click Domain Controllers, click Properties.
4. Click the Group Policy tab, click Default Domain Controller Policy, and
then click Edit.
5. Click Computer Configuration, double-click Windows Settings,
double-click Security Settings, and double-click Local Policies, and then
double-click Audit Policy.
6. In the right pane, right-click Audit Object Access, click Properties.
7. Click Define These Policy Settings, and then click to select one or both
of the following check boxes:
- Success: Click to select this check box to audit successful attempts for
the event category.
- Failure: Click to select this check box to audit failed attempts for the
event category.
8. Click OK.

Note: Because the changes that you make to your computer's audit policy
setting take effect only when the policy setting is propagated or applied
to your computer, complete either of the following steps to initiate policy
propagation:
- Type gpupdate /Target:computer at the command prompt, and then press
ENTER.
- Wait for automatic policy propagation that occurs at regular intervals
that you can configure. By default, policy propagation occurs every five
minutes.

Also, please enable specify the files and folders that you want audited. To
do so:

1. In Windows Explorer, locate the file or folder you want to audit.
Right-click the file and folder you want to audit, and then click
Properties.

2. Click the Security tab, and then click Advanced.

3. Click the Auditing tab, and then click Add.

4. In the Enter the object name to select box, type the name of the user or
group whose access you want to audit. You can browse the computer for names
by clicking Advanced, and then clicking Find Now in the Select User or
Group dialog box.

5. Click OK.

6. Select the Successful or Failed check boxes for the actions you want to
audit, and then click OK.

7. Click OK twice.

Finally, you can open the Security log to view logged events. Additionally,
if you are either a domain or an enterprise administrator, you can enable
security auditing for workstations, member servers, and domain controllers
remotely.

I hope the above information helps.

Have a nice day.

Best Regards,

Steven Zhu
MCSE
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

.

---

• References:
  • Auditing file deletion
    • From: NickC
  • RE: Auditing file deletion
    • From: Steven Zhu [MSFT]
  • Re: Auditing file deletion
    • From: NickC

• Prev by Date: Re: BrightStorŪ ARCserve Backup
• Next by Date: Re: SBS2003/Exchange
• Previous by thread: Re: Auditing file deletion
• Next by thread: Re: Auditing file deletion
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Auditing file deletion ... regarding this in the security event log. ... Default Domain Controllers Policy. ... Click Computer Configuration, double-click Windows Settings, ... double-click Audit Policy. ... (microsoft.public.windows.server.sbs) RE: Auditing Workstation logons from DC ... You have already configured Domain Security Settings for Audit account ... the both Default Domain Controllers Policy and Default Domain Security ... GPO may be overriding the audit policy setting that you configured. ... (microsoft.public.windows.server.sbs) Re: audit folder/file delet ... >size of the security log and only audit the bare number of permissions for the bare ... >> I try to audit a folder and its subdirectory for deletion. ... >> first to enable in local security policy, audit policy, audit object ... (microsoft.public.win2000.security) Re: Audit Deleting of files ... you can't just do an audit on the machine. ... >audit policy for your domain: ... >then click Security. ... >setting take effect only when the policy setting is ... (microsoft.public.win2000.security) RE: USB delivered attacks ... security 101 kind of stuff. ... toy comes out does not imply it should not play by the rules of the ... it has to start with policy. ... Audit and update list of devices as technology/trends ... (Pen-Test)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2006-04