|
Posted by Jack Brown on December 13, 2006, 5:04 pm
Please log in for more thread options
>I have dug through this group and others, read the server 2003
> hardening guides, dug through the LSP and GPO, and I cannot figure our
> where to do this at.
>
> we have a windows server connected to a SAN, someone keeps deleting
> files and the event viewer shows nothing useful. where do I setup
> file/folder auditing so it will show me everything that happens to that
> folder and files? I know it will generate a lot of log files, I am
> prepared for that.
Did you read this:
http://technet2.microsoft.com/windowsserver/en/technologies/featured/audit/default.mspx
I don't work on Win2003 Server per se but a quick glance of the above link
and it seems reasonably similar to WinXP. Windows security is basically the
same on all (professional) versions of Windows anyway. The basics are as
follows (note that I'm a developer):
1) Turn auditing policy on which is apparently described here (for Win2003):
http://technet2.microsoft.com/WindowsServer/en/library/d9fea7ea-61e5-43b1-98cd-b02a09f101561033.mspx?mfr=true
2) Apply audting to the specific file or folders you're interested in. This
is apparently described here (again, for Win2003):
http://technet2.microsoft.com/WindowsServer/en/library/ecf63dcf-17e7-4279-91ff-beb11bd0d6881033.mspx?mfr=true
Afterwards you can find all auditing info in the "Security" event log. In XP
for instance, you would do this:
1) From the command line, launch "C:\WINNT\system32\secpol.msc" (you can
also find this in the GUI)
2) Under "Local Policies\Audit Policy", double click "Audit object access"
3) Click "Success" and/or "Failure" to turn auditing on for successful
and/or failed attempts you wish to audit
4) Close the above and then use Windows Explorer to find the folder or
specific file(s) you want to audit
5) Right-click this folder, select "Properties" and then click the
"Security" tab
6) Click "Advanced" button
7) Click "Auditing" tab
8) Click "Add" button
9) Type in who you want to audit (user or group name) or "Everyone" if you
wish
10) Click OK
11) Click the check boxes for whatever you want to audit (e.g., both "Delete
Subfolders and Files" and "Delete"). You can audit "Sucessful" and/or
"Failed" attempts as per 3 above
12) Repeatedly click OK to exit all the way out
Whatever you selected for auditing is now active and will appear in the
"Security" event log (the process should likely be very similar in Win2003)
| 
XML Sitemap