Re: Moved & Deleted Files

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/26/05 

Date: Sat, 26 Feb 2005 00:21:57 -0600

Since you are experiencing strange behavior be sure to run full virus scan
on your server. Then check your group memberships including all the
administrators groups to make sure membership is proper. Verify that the
share has correct share/ntfs permissions and that the permissions are not
excessive meaning that only the users that need full control/modify
permissions have that permission. If you do not have backups the file may be
recoverable with a third party program. Note that files deleted on a network
share will not go to the recycle bin on the server.

For Windows 2000 you can enable auditing of object access in the Local
Security Policy or Domain Controller Security Policy for domain controllers
and then audit folders for user access. If your case I would audit just the
two delete permissions for the users group. Be sure to increase the size of
your security log in Event Viewer to at least 10MB. Then look for object
access 560 and 564 events paired by timestamp. You should then be able to
see who is deleting the files. This is not a user friendly task as you will
see a lot of seemingly unrelated object access events but if you dig deep
enough you should find what you need. I pasted an example for what to look
for. In the example the file deleted was firewalls.doc by user Steve from
the folder d:\extra. Look for the file name that was deleted in object
name - not image file name for event 560. Note that both events have the
same timestamp. Interestingly the event 564 shows that a file was deleted
but does not actually list the file object, just the same image file name
as event 560. But taking the information of these two events together shows
the actual file that was deleted. It might help to use Event Comb to search
the log for file names that are being deleted as Event Comb allows to use of
text strings in searches. The link below explains folder auditing in more
detail. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 -- Event
Comb.

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/25/2005
Time: 11:55:12 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Open:
  Object Server: Security
  Object Type: File
  Object Name: D:\Extra\Firewalls.doc
  Handle ID: 2072
  Operation ID: {0,9271529}
  Process ID: 684
  Image File Name: D:\WINDOWS\explorer.exe
  Primary User Name: Steve
  Primary Domain: STEVE-XP
  Primary Logon ID: (0x0,0x162AA)
  Client User Name: -
  Client Domain: -
  Client Logon ID: -
  Accesses: DELETE
   READ_CONTROL
   ReadAttributes

  Privileges: -
  Restricted Sid Count: 0

************************************

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 564
Date: 2/25/2005
Time: 11:55:12 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Deleted:
  Object Server: Security
  Handle ID: 2072
  Process ID: 684
  Image File Name: D:\WINDOWS\explorer.exe

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

"mugs" <mugs@discussions.microsoft.com> wrote in message
news:82978552-AC0D-436B-8F53-A9BDE8DD775F@microsoft.com...
> From last 2 days we are facing a the problem of files and folders either
> being moved or deleted from the shared drive. We have a Windows NT network
> with users on either Win2000 or WinXP. Some of the folders and files were
> moved from their original location and some folders/files were deleted. I
> could not find the deleted files/folders in the recycle bin of the shared
> server for which no one has access except the administrator (me). During
> the
> day everything seems to be fine. I am normally the last person to leave
> the
> office after taking backups. Next day morning, the users are reporting
> this
> problem.
>
> Is there a way I could find out if these things are being done
> deliberately.
> Or is this some kind of virus problem. We use Norton Antivirus with live
> update. Can anyone suggest any solution to secure these files.

Relevant Pages

  • Re: Setting up a domain
    ... > computer that stands alone and acts as our server. ... Yes a domain can help with improving security but by itself it doesn't mean ... but I'm guessing that's so from the '10 computers') as it can cause ... allow or deny people access to various folders, ...
    (microsoft.public.security)
  • Re: Moved & Deleted Files
    ... > share has correct share/ntfs permissions and that the permissions are not ... > share will not go to the recycle bin on the server. ... > For Windows 2000 you can enable auditing of object access in the Local ... > Security Policy or Domain Controller Security Policy for domain controllers ...
    (microsoft.public.security)
  • Re: anonymous logon
    ... I do not normally audit object access, but my understanding is that yes ... unless you see a lot of logon failures, ... > Object Server: Security Account Manager ...
    (microsoft.public.win2000.security)
  • Re: Auditing Folders and Files - Audit Policy - Audit Object Access
    ... Make sure on that server that auditing of object access is indeed enabled. ... Open Local Security Policy and look at the "effective" settings if the ...
    (microsoft.public.win2000.group_policy)
  • Re: Server security
    ... then you were probably sitting there with anonymous access enabled to FTP ... > anyway after all the problems that I had with the server, I have the> purpose of at least learning some basics on server security. ... > I can tell you that I noticed that we had a security problem because I> started finding lots of new folders and/or files in the IIS folder, which> I erased many times and again were created in the server. ...
    (microsoft.public.inetserver.iis.security)