Security COncern, Files deleted from Server

Disaster Recovery
Intrusion management
Managed security services
Risk management
Security management
Security Program Management
Good morning to all, and hope everyone is dooing well. I have a security issue, and need help solving this. Someone in my company within Engineering staff deleted an entire group of folders. Unfortunately it was on a project that ended, and it was discovered this morning. I have luckily a back up tape of the past two weeks, and I was hoping someone can direct me as to how I can look at some log or feature in Windows 2003 server, that can show file deletion and user that deleted these files. Thanks again in advance for your help and responces.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Unfortunately there is nothing after the fact that will do this. but for future reference, if you turn on auditing on that computer and enable auditing for file and object access, then configure auditing for select folders/files it can be set up to create an event in the security log when files or folders are deleted and those event logs will tell you who deleted the files., I am not going to go into how to do that here, but im sure you have manuals on windows server or can find that information on microsofts technet website.

Discuss This Question: 4  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Howard2nd
    I agree with TedRizzi's answer - you would have to had 'auditing' turned on to log this type of event. The second part of the answer is that permissions on your 'windows' network need to set tighter. Drives and root folders should be 'Read/List/Execute' and 'write' if a third party needs to create new sub folders. 'Modify, which is needed to delete files and folders, should be limited to sub folders and files. It is entirely too easy in 'Windows Explorer' to navigate to a file and not notice the folder is still highlighted when you click the delete key. And network deletes are not placed in the 'recycle bin'. Thank goodness you have a backup and no data was lost.
    30 pointsBadges:
  • Sexton
    I must agree with everyone so far. Even if auditing is turned on, I still have a hard time understanding the auditing events via event viewer. Since I thrive on security, this is one issue I've yet to overcome. I'm sure it's easy for many people out there, but I really find it difficult to actually track a users steps, and I audit everything at all costs of server performance. I've never been able to find an article on how to really do this, nor have I ever been shown by someone who really understands auditing, but for me, this is a very difficult task, much like doing a restore which is not difficult, but a royal pain. Since disk space is so inexpensive today, I personally recommended a third party program called undelete found at: Although tape backups can't be eliminated, the number of times you actually have to use it for restore is greatly reduced, and to me, a real time saver. Like auditing, tape restore is a royal pain from my perspective. Perhaps the upper end of tape backup software such as netbackup would make the restore process easier, but most of my working relationships don't have an IT budget to justify this type of expense. Undelete is really a great tool for any organization, with little overhead other than disk space. The more you can allocate for it, the less often you need to actually do the restore. They claim it's cluster aware, however, I've had lots of trouble making it work correctly in a cluster. The best part, and the reason I'm actually sending a reply is the Undelete bin will tell you the user who deleted it, and when it was deleted. Although you could just install and go, I would recommend serious configuration for files you don't want to end up in the undelete bin. Also, for speed, I would suggest an undelete bin for each drive so the files don't have to be moved to another set of disks. It's really very inexpensive for a file server, and as someone pointed out, files deleted across the network do not get put in the normal undelete bin, however, undelete does capture files deleted across the network wire. From my perspective, it's a needed tool for any network, as everyone knows files get deleted all the time, and I hate spending time in the backup software. One more note about security. All files can end up in the undelete bin. This could include sensitive material. I know of an instance where an IT guy would pass random drug screening as he would know when they were scheduled, and for who. The IT guy did not have access to the data storage location, but did have access to the undelete bin. As word documents are modified, they get deleted which puts them in the undelete bin, so you do have to be careful with who you let use it. This is just one example, but I'm sure you can relate this to other situations such as Bonus reviews, salary's and other sensitive information. While your there (off topic) I also suggest another valuable tool called "Diskeeper". Again, very inexpensive (unless you want the exchange version), and runs circles around other defragmentation programs. I hope this helps. Robert Sexton
    0 pointsBadges:
  • ESuazo
    Just wanted to thank you all for your help and responces.
    0 pointsBadges:
  • ESuazo
    Just wanted to thank you all for your help and responces. If you have anything further to add, I will look into it also. Thanks
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: