Re: Need to monitor Deleted files on server shares

I know a free but really ugly, almost ineffective way to to this that's not all that much worse than a root canal. Go to the Domain Controller Security Policy (or your GPO of choice), Audit Policy -> Audit Object Access, and choose Success. Now go to the top level folder, Properties -> Security -> Advanced and go to the Audit tab. Add a security group or whatever and configure what you want logged for that group (Delete, for example). Do the inheritance thing to apply the setting to subfolders and files, it works just like a regular ACL. Gpupdate /force and you'll be good to go.

What makes this ugly IMO is that auditing object access creates a boatload of entries, and when someone deletes a file, the log entry isn't overly informative (I'm not sure it even contains the name of the deleted file). At least it shouldn't take you long to configure this and see if it's worth pursuing for the limited purpose of catching who's deleting the files.


"Leythos" <spam999free@xxxxxxxxxx> wrote in message news:MPG.238e3eec48fd113b9896f7@xxxxxxxxxxxxxxxxxxxxxxx
A client is experiencing files being deleted on a common share that
holds project data. All users with permission on the share have FULL
permission. Is there a FREE way, possibly through Security Audits (the
built in security event log) to setup something that creates an event
entry that shows when a file is deleted by a user and who the user is?

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)

.

Relevant Pages

  • RE: syslog
    ... For the same kind of environment, I am using Computer Associates eTrust ... Audit integrated with Security command center for an easy event management ... and consolidation of logs + administration of all the Security ...
    (Security-Basics)
  • RE: Blue Team ROE
    ... These types of constraints are a way to create the illusion of due ... diligence in that they are having an outside company perform a security ... the audit by client constraints. ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: How to determine who changed permissions on a directory?
    ... I used the "Security Monitoring and Attack Detection Planning Guide" from ... Audit Account Logon events - Success, Failure ... Audit Object Access - Success, ...
    (microsoft.public.security)
  • Re: How to determine who changed permissions on a directory?
    ... I used the "Security Monitoring and Attack Detection Planning Guide" from ... Audit Account Logon events - Success, Failure ... Audit Object Access - Success, ...
    (microsoft.public.security)
  • RE: [lists] How tos in Hacking AS400
    ... In 15 minutes I made the $40K I charged for the audit. ... If you spend more on coffee than on IT security, ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)