Server hardening tip: If you've ever discovered that your network has been hacked, you've probably wondered how to track down the perpetrator. Find out how to track down hackers with this advice from network security expert Wes Noonan.
A SearchWindowsSecurity.com member recently asked: We have a W2K3 file server (with SAN attached arrays) from which a user has deleted files. Is there a way to discover who this person is? Do the log files capture this information or would we have to put a monitoring tool on the server and hope to capture future activity? We plan on tightening the permissions but I wondered if there would be any history available.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Wes Noonan: This is a function of the auditing capabilities of the file server and can be enabled using the native tools. This is done by enabling the Auditing functionality in the Auditing Tab of the Advanced Security settings for the given folders/file system. You also have to enable the appropriate Audit Policy for your environment using Group Policy/the Local Security Policy of the system in question. Unfortunately, if you weren't auditing to begin with, there won't be a historical record.
If you are going to enable this degree of auditing, I would strongly recommend the use of third-party log management/security monitoring tools such as NetIQ Security Manager, LogLogic or ArcSight ESM. These tools can both manage the quantity of logs as well as the volume of events. Doing otherwise, in my experience, results in auditing policies that are effectively worthless because data is near impossible to find. It is also difficult to manage the volume of data (which can exceed gigabytes of data per day).