Results 1 to 2 of 2

Thread: How to use Auditing to Track Deleted Files on Windows Server

  1. #1
    Join Date
    Nov 2005
    Posts
    344

    How to use Auditing to Track Deleted Files on Windows Server

    Many of us who use Windows Server are not really aware about a unique feature called as Auditing. This are knows to network admins only. What does this do? I got a mail last time from a friend who runs a Computer Learning Institute. Some of his eBooks were deleted and he was not able to track who did it. After contacting me, I suggested him to enable Auditing Policies on Windows Server which enable you to find records of user’s activity on the network. It is possible to track who deleted the files, who modified it or moved or and even the logins and logouts. Auditing is a very simple process which generates logs helping the networking admins to keep a track of user’s activity. This is best recommended for all those who run small or big size server networks. Auditing is available in all version of Windows Server and marks my works, this is not really tough to configure.

    The steps to enable are simple. Windows Server 2008 R2 offers better features in Auditing. Called as Security Auditing it helps you to track the user’s effectiveness in your work. In the new version there are more enhancement and complex algo which works more efficiently. There are high levels of security auditing logs and simplified deployment. From my views I recommend you to use the most recent version if you need a higher level of security. Or else it really does not matter if you just want the logs. Some of the enhancement which I want to highlight here if you use Windows Server 2008 or higher are:
    • Global Object Access Auditing: Under this you get option to enable SACLs. It is called as computer system access control list. Under this the object type can be defined as per file system or registry. Once the list is applied it is applied to every object of type you can configure. It is best recommended to track system files. It is recommended for a wide network. It can track changes done to system files and registry.
    • Reason for access" reporting: Reason for access" reporting. This list is called as Access Control Entries. Under this, the admin has right to allow privileges to objects. He/She can on his will allow or deny rights to objects in the environment.
    • Advanced audit policy settings: There are 53 new settings in this. As mentioned on Microsoft site it is found that the new additions allow the admins to target more specific activities.

    What Auditing can do?

    There are two ways to use it. First you can describe policies which will track the user activities. And other system wide activities. Under use actives you can collect logs of user logins, logouts, file modifications, deletion, etc. while under system wide you can generate logs on objects activities. A sample I can give is of user membership process. It allows you to track the following
    • The action that was performed.
    • The user who performed the action.
    • The success or failure of the event and the time that the event occurred.

  2. #2
    Join Date
    Nov 2005
    Posts
    344

    Re: How to use Auditing to Track Deleted Files on Windows Server

    For working with this you have to define an audit policy. This are define on the base of categories of events which are maintain by security log on every system. With the help of information in Security Log you can track the events occurred. For example when you had defined a policy and a user login or logs out his activity is recorded in the log. If the login and logout fails then also it is recorded in the logs.

    Benefits of using new enhancement in new version of Windows Server
    Older version offers you around 9 different categories to track the events while the new version offers you around 53 categories to track. So you can understand which one can benefit you. Everything is record and maintained in the policies. Under 53 categories the admin has lot more to choose. He can also become selective to certain action assigned t number of users for the particular event.

    Steps to Configuring Audit Policy on a Domain Controller.

    This service is turned off. You have to enable it via Audit Policy settings and you have to configure the same for all domain controllers. There are certain pre-requirements you have to check before enabling this out. First you must grant Manage Auditing and Security Log user right on every computer where you want to configure it. Another important thing the objects under audio must lie on NTFS partitions.

    Process to configure Audit on Domain Controller
    • Click on Start > Programs > Administrative Tools > Active Directory Users and Computers > View > Advance Features
    • Now look for Group Policy > Click on Domain Controller > Edit > Click Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
    • Now on the right site right click on Audit Directory Services Access > Properties. From here you can start defining the Audit policies. There are two checkboxes here. The first one is called as Success. This means it will keep an audit of success attempts and Failure for the failed attempts. Tick on both.
    • Now again right click on any other event category which you want to Audio and choose properties.
    • To apply the settings for the computer you have to type the following in command prompt: gpupdate /computername hit enter.

    Process to configure Audit on Objects in Active Directory
    This settings for configuring audit on objects like user computer or groups. You can specify manually for the same. The process is same as above. I am just updating the changes below.
    • Click on Start > Programs > Administrative Tools > Active Directory Users and Computers > View > Advance Features
    • Right click on the object > Properties. Click on Security > Advance > Audit > Add. Now from here you can add user name/group name or even objects. Apply the same settings and then check back.
    • Applying Audit to a folder
    • This is another simple process of applying audit to specific folder or file only. This is helpful when you want to trace the activity of changes made to file or data. Right click on the folder and click on Properties > Security > Advance. Tick on below check box which says: Allow inheritable permission from parent to propagate to this object.
    • Click on Auditing > Add and add the users. And after that in the object box tick on Delete option. There are two boxes. Choose them and apply them.

Similar Threads

  1. Auditing users on Active Directory server
    By poke147 in forum Active Directory
    Replies: 3
    Last Post: 09-09-2014, 05:19 PM
  2. Replies: 12
    Last Post: 25-10-2011, 03:07 PM
  3. Replies: 1
    Last Post: 22-05-2011, 04:50 AM
  4. Files Cannot Be deleted From The Server In Windows Live Mail
    By Pony in forum Technology & Internet
    Replies: 3
    Last Post: 11-01-2011, 05:09 AM
  5. Enable Auditing Server 2008
    By aconti in forum Active Directory
    Replies: 4
    Last Post: 21-10-2009, 11:23 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,723,755.43120 seconds with 17 queries