Hunting down a hacker

A SearchWindowsSecurity.com member recently asked: We have a W2K3 file server (with SAN attached arrays) from which a user has deleted files. Is there a way to discover who this person is? Do the log files capture this information or would we have to put a monitoring tool on the server and hope to capture future activity? We plan on tightening the permissions but I wondered if there would be any history available.

Wes Noonan: This is a function of the auditing capabilities of the file server and can be enabled using the native tools. This is done by enabling the Auditing functiona

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows XP security issues, updates and alerts How Windows 7 stands up to security tests The state of enterprise security and emerging threats in 2009 A first look at Windows 7 security enhancements How to strike a balance between Windows security and business needs How to recognize and repair Blue Screen of Death stop error messages Ten ways to sell security to management Improve Windows security with our top 10 tips Strategies for troubleshooting Windows XP errors Managing single sign-on security burdens in Windows A Windows security checklist for IT managers Windows Vista security issues, updates and alerts Ten ways to sell security to management Improve Windows security with our top 10 tips Windows Vista management tutorial Minasi says Vista SP1 solves problems, adds new ones Does Vista's strong security make it better than XP? Are Windows Vista's features silencing critics? Managing single sign-on security burdens in Windows Top 10 ways to improve Windows Vista security A Windows security checklist for IT managers Unauthenticated vs. authenticated security testing

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

lity in the Auditing Tab of the Advanced Security settings for the given folders/file system. You also have to enable the appropriate Audit Policy for your environment using Group Policy/the Local Security Policy of the system in question. Unfortunately, if you weren't auditing to begin with, there won't be a historical record.

If you are going to enable this degree of auditing, I would strongly recommend the use of third-party log management/security monitoring tools such as NetIQ Security Manager, LogLogic or ArcSight ESM. These tools can both manage the quantity of logs as well as the volume of events. Doing otherwise, in my experience, results in auditing policies that are effectively worthless because data is near impossible to find. It is also difficult to manage the volume of data (which can exceed gigabytes of data per day).

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.