Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Missing folder and files

Permissions, Group Policy, IPSec, Virus, Spam, Spyware, Malware.

Missing folder and files

Postby guest » Tue Oct 11, 2011 8:42 am

We are running Windows 2008 R2 and have a departments' sharing folder. In the past two weeks, one of department keeps missing folders and files. As I understand, there is not way to prevent deleting files and folders. Am I right? My question is there is a way to audit or find out which computer and user delete them?
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9512
Joined: Mon Nov 27, 2006 1:10 pm

Re: Missing fodlers and files

Postby guest » Tue Oct 11, 2011 8:43 am

From your description, you want to know if there is a way to audit or find out which computer and user delete files. Please correct me if I have misunderstood anything.



As we know, we can use access permission to protect data, however, to track who accessed files and folders and what they did, we can configure auditing for file and folder access. Every comprehensive security strategy should include auditing.



To track file and folder access, you must:

Ø Enable auditing

Ø Specify which fi les and folders to audit

Ø Monitor the security logs



1. Enable auditing.



You configure auditing policies by using Group Policy or local security policy. To enable auditing of files and folders for a specific computer, start the Local Security Policy tool by clicking Start, All Programs, Administrative Tools, and Local Security Policy. Expand Local Policies, and then select Audit Policy.



Next, double-click Audit Object Access. This displays the Audit Object Access Properties dialog box. Under Audit These Attempts, select the Success check box to log successful access attempts, the Failure check box to log failed access attempts, or both check boxes, and then click OK. This enables auditing but it doesn’t specify which fi les and folders should be audited.



2. Specify which fi les and folders to audit

After you have enabled Audit Object Access, you can set the level of auditing for individual folders and files. This allows you to control whether and how folder and file usage is tracked.



You specify files and folders to audit using Windows Explorer. In Windows Explorer, right-click the fi le or folder to be audited, and then, from the shortcut menu, select Properties. In the Properties dialog box, click the Security tab, and then click Advanced. In the Advanced Security Settings dialog box, click Edit on the Auditing tab.



Now use the Auditing Entries list box to select the users, groups, or computers whose actions you want to audit. To add specific accounts, click Add, and then use the Select User, Computer, Or Group dialog box to select an account name to add. If you want to audit actions for all users, use the special group Everyone. Otherwise, select the specific user groups or users, or both, that you want to audit.



The Apply Onto drop-down list box allows you to specify which actions should be audited. Select the Successful or Failed check boxes, or both, for the events you want to audit.



3. Monitor the security logs

Any time files and folders that you’ve configured for auditing are accessed, the action is written to the system’s Security log, where it’s stored for your review. The Security log is accessible from Event Viewer. Successful actions can cause successful events, such as successful file reads, to be recorded. Failed actions can cause failed events, such as failed file deletions, to be recorded.
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9512
Joined: Mon Nov 27, 2006 1:10 pm

Re: Missing fodlers and files

Postby guest » Tue Oct 11, 2011 8:44 am

Thank you for the tip. I do have a question. I have hundreds events in every minute. Which event ID are we looking for?


--------------------------------------------------------------------------------
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9512
Joined: Mon Nov 27, 2006 1:10 pm

Re: Missing fodlers and files

Postby guest » Tue Oct 11, 2011 8:44 am

Another question. There are over million events in the Security log, can we limit it to audit deleting files and folders?
--------------------------------------------------------------------------------
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9512
Joined: Mon Nov 27, 2006 1:10 pm

Re: Missing fodlers and files

Postby guest » Tue Oct 11, 2011 8:45 am

Yes, as I said before, The Apply Onto drop-down list box allows you to specify which actions should be audited. Select the Successful or Failed check boxes, or both, for the events you want to audit.



I suggest that you read the following article to understand the object access events:



How are object access events generated?

http://blogs.msdn.com/b/ericfitz/archiv ... rated.aspx



Audit object access

http://technet.microsoft.com/en-us/libr ... 6774(WS.10).aspx



Trustworthiness of Information in Audit Records

http://blogs.msdn.com/b/ericfitz/archiv ... 63918.aspx



Quick Overview of Object Access Auditing in Windows

http://blogs.msdn.com/b/ericfitz/archiv ... 45726.aspx
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9512
Joined: Mon Nov 27, 2006 1:10 pm


Return to Security

Your Ad Here

Who is online

Users browsing this forum: Google [Bot], Google Adsense [Bot] and 1 guest