RE: [despammed] Utility to determine who deteled files
From: Levinson, Karl (LevinsonK@STARS-SMI.com)
Date: 02/26/03
- Previous message: Avleen Vig: "How do you patch yours? (was: Monitor Services on Windows machines)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Levinson, Karl" <LevinsonK@STARS-SMI.com> To: "'Gooch, Linnie '" <Linnie@wescom.org>, "'focus-ms@securityfocus.com '" <focus-ms@securityfocus.com> Date: Wed, 26 Feb 2003 13:20:39 -0500
I'm not aware of any tool that does this without using Windows auditing.
Auditing is by far the most common way to handle this.
You can and should determine which users, directories and actions you wish
to audit, to keep the logs a manageable size. If there's too much in your
logs, you change what's being audited. Additionally, you can use event log
monitoring software such as www.ipsentry.com, DUMPEL from the MS Windows
Resource Kits, pslist from www.sysinternals.com, .VBS script, etc. to alert
you when key events occur, to further automate managing the logs.
Also, you could automate pushing out auditing settings by using Windows 2000
/ XP group policy templates and/or Active Directory Users and Computers
and/or the SECEDIT and AT commands... e.g. by launching MMC, adding the
Security Templates snapin, editing the resulting template file in Notepad if
necessary, importing the template into a security database or Active
Directory, etc.
Be sure you test this first so that you don't roll out incorrect NTFS file
permissions that cause problems. AFAIK, just using the MMC GUI to roll out
file auditing settings without any NTFS permissions showing in the GUI
removes the existing permissions.
Links to some articles that may be useful are at:
http://securityadmin.info/faq.htm#auditing
-----Original Message-----
From: Gooch, Linnie
To: focus-ms@securityfocus.com
Sent: 2/25/2003 1:00 PM
Subject: [despammed] Utility to determine who deteled files
Sorry in advance if this is too simple of a question, but does anyone
know
of a utility to put on a Windows NT / 2000 server to determine who
deleted a
file and when? I know auditing does this, but is very cumbersome and
hard to
read.
- Next message: Robert Formanek: "Re: Monitor Services on Windows machines"
- Previous message: Avleen Vig: "How do you patch yours? (was: Monitor Services on Windows machines)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
