Re: Disappearing .doc files
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 29 Mar 2006 19:54:40 -0600
Weird. You can audit those files to see if it shows a particular user doing
that. See the link below for more details and I would be sure to just audit
the two delete permissions to keep the number of object access events down.
You will also find it helpful to use Event Comb to search the security log
for specific events and text strings such as filename and delete. If a user
name is found he may have malicious software installed on his computer or
another user could be impersonating him and not be doing it himself so keep
that in mind before you fire or reprimand him right away. As shown below
Event IDs 560 and 567 will have pertinent info.--- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 --- note
that auditing of object access needs to be enabled on server first.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
--- Event Comb available here.
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgch04.mspx
--- excerpt copied below
Table 4.1: File Permission Change Events
Event IDs Occurrence Comments
560
Access granted to existing object
These events show where an object has successfully granted access to a
request, such as list, read, create, and delete. Check Primary Logon ID,
Client User Name, and Primary User Name fields to detect unauthorized
attempts to change file permissions. Check Accesses field to identify the
operation type. This event only shows that access was requested or
granted-it does not mean that the access took place. The acting user is the
Client User (if present); otherwise it is the Primary User.
567
A permission associated with a handle used
This event occurs on the first instance of an access type (list, read,
create, and so on) to an object. To correlate with event 560, compare the
Handle ID fields of the two events.
"Andy H." <andrew.harlan@xxxxxxxxxxxxxxxx> wrote in message
news:%23LNS0v2UGHA.4248@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
We have a Windows 2003 server with a share setup for users to access and
store documents. In the past few days we noticed word documents
disappearing from various folders within this share. When we restore
these documents from tape to these directories they remain for a couple
minutes and then poof they all disappear. Only .doc files are gone. If
we move these files to another share on the same server they remain. When
we took away delete access from the users group the files remain. However
when those permissions are reinstated the files disappear. There is no
evidence in event logs. Any ideas on how to track these occurences?
.
- Follow-Ups:
- Re: Disappearing .doc files
- From: Andy H.
- Re: Disappearing .doc files
- From: Andy H.
- Re: Disappearing .doc files
- References:
- Disappearing .doc files
- From: Andy H.
- Disappearing .doc files
- Prev by Date: Disappearing .doc files
- Next by Date: Re: windows xp 64 admin password reset
- Previous by thread: Disappearing .doc files
- Next by thread: Re: Disappearing .doc files
- Index(es):
Relevant Pages
|
