Introduction If a file on your server is deleted maliciously or by mistake, it can lead to losses of sensitive data and the inability...
Introduction
If a file on your server is deleted maliciously or by mistake, it can lead to losses of sensitive data and the inability of users to access the information they are intended to use, both of which may result in additional troubles for IT staff.
http://start.netwrix.com/how_to_detect_who_deleted_file_from_file_server.html
http://start.netwrix.com/how_to_detect_who_deleted_file_from_file_server.html
Steps (6 total)
Navigate to the required file share, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button:
Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Delete subfolders and files" and "Delete".
Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Delete subfolders and files" and "Delete".
Run gpedit.msc Edit → "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy:
Audit object access → Define → Success and Failures.
Audit object access → Define → Success and Failures.
Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
Audit File System → Define → Success and Failures
Audit Handle Manipulation → Define → Success and Failures.
Audit File System → Define → Success and Failures
Audit Handle Manipulation → Define → Success and Failures.
Go to Event Log → Define:
Maximum security log size to 1gb
Retention method for security log to Overwrite events as needed.
Maximum security log size to 1gb
Retention method for security log to Overwrite events as needed.
Open Event viewer and search Security log for event id 4656 with "File System" or "Removable Storage" task category and with "Accesses: DELETE" string. "Subject: Security ID" will show you who has deleted a file.
Conclusion
Works well on Windows 2008 Sever and above.
The Events will show up only after the audit configuration is made.
The Events will show up only after the audit configuration is made.
No comments
Post a Comment