Re: How to monitoring who has deleted a NTFS folder

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 05/25/05 

Date: Tue, 24 May 2005 18:05:09 -0700

To add a small bit to Duane's accurate answer . . .
If when adding the auditing ACE in the Auditing tab within the Security
dialog in the properties of the parent folder, if one uses the advanced
dialog to set the Delete to be for subfolders only, then the security log
will not fill up nearly as rapidly (assuming file delete, which would no
longer cause an event message, is a much more common action than is
subfolder deletion). 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"]" <dlaflotte@criticalsites.com> wrote in message
news:u0%23ZnjKYFHA.712@TK2MSFTNGP14.phx.gbl...
> Arminio,
>      I know you said audit policies don't solve the problem.  I was
> wondering if you could explain a bit more as to why they dont?
> Below I've listed a method for monitoring folders that are deleted by
users.
> The way to do this is to use a Local Security Policy.
> 1.  Run secpol.msc
> 2.  Goto Security Settings > Local Policies > Audit Policy
> 3.  Change Audit object access to audit success and failure
> 4.  goto the parent directory above the directory you want to audit for
> deletion.  Goto the auditing tab and audit for success of Delete
Subfolders
> and files.
> 5.  Now when a user deletes any subfolders you will get an entry in your
> event viewer under the security logs with event ID 560 & 567.
>
> ID 560 shows the folder that was deleted and ID 567 shows the type of
> operation done on that folder (DELETE).
>
> Good Luck,
> Duane Laflotte
> MCSE, MCSD, MCDBA, MCSA, MCT, MCP+I
> dlaflotte@criticalsites.com
>
> "Arminio Andrei" <a_arminio@yahoo.com> wrote in message
> news:etYw1%23IYFHA.2128@TK2MSFTNGP14.phx.gbl...
> > Hi,
> >
> > Is there any way to monitore a NTFS directory structure
> > to find what user has just delete a partuculary folder(s) or
> > file(s) and log this actions? An audit policy dosen't solve the problem!
> >
> > Thanks
> >
> >
>
>

Relevant Pages

  • RE: syslog
    ... For the same kind of environment, I am using Computer Associates eTrust ... Audit integrated with Security command center for an easy event management ... and consolidation of logs + administration of all the Security ...
    (Security-Basics)
  • RE: Blue Team ROE
    ... These types of constraints are a way to create the illusion of due ... diligence in that they are having an outside company perform a security ... the audit by client constraints. ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: How to determine who changed permissions on a directory?
    ... I used the "Security Monitoring and Attack Detection Planning Guide" from ... Audit Account Logon events - Success, Failure ... Audit Object Access - Success, ...
    (microsoft.public.security)
  • Re: How to determine who changed permissions on a directory?
    ... I used the "Security Monitoring and Attack Detection Planning Guide" from ... Audit Account Logon events - Success, Failure ... Audit Object Access - Success, ...
    (microsoft.public.security)
  • RE: [lists] How tos in Hacking AS400
    ... In 15 minutes I made the $40K I charged for the audit. ... If you spend more on coffee than on IT security, ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)