Re: Moved & Deleted Files
From: mugs (mugs_at_discussions.microsoft.com)
Date: 02/28/05
- Next message: Modem Ani: "Re: Scannig in safe mode?"
- Previous message: Malke: "Re: Yahoo Email Accounts Being Compromised,"
- In reply to: Steven L Umbach: "Re: Moved & Deleted Files"
- Next in thread: Roger Abell: "Re: Moved & Deleted Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Feb 2005 07:47:01 -0800
Thanks for your advice and help. Will try what you have adviced.
"Steven L Umbach" wrote:
> Since you are experiencing strange behavior be sure to run full virus scan
> on your server. Then check your group memberships including all the
> administrators groups to make sure membership is proper. Verify that the
> share has correct share/ntfs permissions and that the permissions are not
> excessive meaning that only the users that need full control/modify
> permissions have that permission. If you do not have backups the file may be
> recoverable with a third party program. Note that files deleted on a network
> share will not go to the recycle bin on the server.
>
> For Windows 2000 you can enable auditing of object access in the Local
> Security Policy or Domain Controller Security Policy for domain controllers
> and then audit folders for user access. If your case I would audit just the
> two delete permissions for the users group. Be sure to increase the size of
> your security log in Event Viewer to at least 10MB. Then look for object
> access 560 and 564 events paired by timestamp. You should then be able to
> see who is deleting the files. This is not a user friendly task as you will
> see a lot of seemingly unrelated object access events but if you dig deep
> enough you should find what you need. I pasted an example for what to look
> for. In the example the file deleted was firewalls.doc by user Steve from
> the folder d:\extra. Look for the file name that was deleted in object
> name - not image file name for event 560. Note that both events have the
> same timestamp. Interestingly the event 564 shows that a file was deleted
> but does not actually list the file object, just the same image file name
> as event 560. But taking the information of these two events together shows
> the actual file that was deleted. It might help to use Event Comb to search
> the log for file names that are being deleted as Event Comb allows to use of
> text strings in searches. The link below explains folder auditing in more
> detail. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
> http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 -- Event
> Comb.
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 2/25/2005
> Time: 11:55:12 PM
> User: STEVE-XP\Steve
> Computer: STEVE-XP
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: D:\Extra\Firewalls.doc
> Handle ID: 2072
> Operation ID: {0,9271529}
> Process ID: 684
> Image File Name: D:\WINDOWS\explorer.exe
> Primary User Name: Steve
> Primary Domain: STEVE-XP
> Primary Logon ID: (0x0,0x162AA)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses: DELETE
> READ_CONTROL
> ReadAttributes
>
> Privileges: -
> Restricted Sid Count: 0
>
> ************************************
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 564
> Date: 2/25/2005
> Time: 11:55:12 PM
> User: STEVE-XP\Steve
> Computer: STEVE-XP
> Description:
> Object Deleted:
> Object Server: Security
> Handle ID: 2072
> Process ID: 684
> Image File Name: D:\WINDOWS\explorer.exe
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
> "mugs" <mugs@discussions.microsoft.com> wrote in message
> news:82978552-AC0D-436B-8F53-A9BDE8DD775F@microsoft.com...
> > From last 2 days we are facing a the problem of files and folders either
> > being moved or deleted from the shared drive. We have a Windows NT network
> > with users on either Win2000 or WinXP. Some of the folders and files were
> > moved from their original location and some folders/files were deleted. I
> > could not find the deleted files/folders in the recycle bin of the shared
> > server for which no one has access except the administrator (me). During
> > the
> > day everything seems to be fine. I am normally the last person to leave
> > the
> > office after taking backups. Next day morning, the users are reporting
> > this
> > problem.
> >
> > Is there a way I could find out if these things are being done
> > deliberately.
> > Or is this some kind of virus problem. We use Norton Antivirus with live
> > update. Can anyone suggest any solution to secure these files.
>
>
>
- Next message: Modem Ani: "Re: Scannig in safe mode?"
- Previous message: Malke: "Re: Yahoo Email Accounts Being Compromised,"
- In reply to: Steven L Umbach: "Re: Moved & Deleted Files"
- Next in thread: Roger Abell: "Re: Moved & Deleted Files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
