Q

Hunt down a hacker

If you have ever had a rogue user delete files from a server and want to find out who that person is, then piece of advice from Windows networking security expert Wes Noonan's might just be for you.

We have a W2K3 file server (with SAN attached arrays) that a user has deleted files from. Is there a way to discover who this person is? Do the log files capture this information or would we have to put a monitoring tool on the server and hope to capture future activity? We plan on tightening the permissions but I wondered if there would be any history available.
This is a function of the auditing capabilities of the file server and can be enabled using the native tools. This is done by both enabling the Auditing functionality in the Auditing Tab of the Advanced Security settings for the given folders/file system as well as enabling the appropriate Audit Policy for your environment using Group Policy/the Local Security Policy of the system in question. Unfortunately, if you weren't auditing to begin with, there won't be a historical record.

If you are going to enable this degree of auditing, I would strongly recommend the use of third-party log management/security monitoring tools such as NetIQ Security Manager, LogLogic or ArcSight ESM. These tools can both manage the quantity of logs as well as the volume of events. Doing otherwise, in my experience, results in auditing policies that are effectively worthless because data is near impossible to find. It is also difficult...

to manage the volume of data (which can exceed gigabytes of data per day).

This was first published in January 2007

Dig deeper on Patches, alerts and critical updates

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close