Re: Disappearing .doc files
- From: "Andy H." <andrew.harlan@xxxxxxxxxxxxxxxx>
- Date: Thu, 30 Mar 2006 13:34:05 -0500
Okay. Thanks. That's good advice.
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:upLHaFBVGHA.4864@xxxxxxxxxxxxxxxxxxxxxxx
Your log entries should show the account that deletes, and this
should appear in security log of machine sharing out the storage.
You could also try to narrow this down by looking at what
machines,account combinations have sessions, in the shares
area in compmgmt.msc If not all of your people have mappings
to these shares at all times, that might help.
It surely sounds to me like you have an infected machine, and
once you locate it you will find that .doc and likely some other
extensions have been deleted everywhere on it and everywhere
it has mapped.
"Andy H." <andrew.harlan@xxxxxxxxxxxxxxxx> wrote in message
news:OTnUG6$UGHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
If I audit a group will that show individual user actions or only the
group ID everytime someone acts on an object?
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uvOMmz5UGHA.1868@xxxxxxxxxxxxxxxxxxxxxxx
Weird. You can audit those files to see if it shows a particular user
doing that. See the link below for more details and I would be sure to
just audit the two delete permissions to keep the number of object
access events down. You will also find it helpful to use Event Comb to
search the security log for specific events and text strings such as
filename and delete. If a user name is found he may have malicious
software installed on his computer or another user could be
impersonating him and not be doing it himself so keep that in mind
before you fire or reprimand him right away. As shown below Event IDs
560 and 567 will have pertinent info.--- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 ---
note that auditing of object access needs to be enabled on server first.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
--- Event Comb available here.
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgch04.mspx
--- excerpt copied below
Table 4.1: File Permission Change Events
Event IDs Occurrence Comments
560
Access granted to existing object
These events show where an object has successfully granted access to
a request, such as list, read, create, and delete. Check Primary Logon
ID, Client User Name, and Primary User Name fields to detect
unauthorized attempts to change file permissions. Check Accesses field
to identify the operation type. This event only shows that access was
requested or granted-it does not mean that the access took place. The
acting user is the Client User (if present); otherwise it is the Primary
User.
567
A permission associated with a handle used
This event occurs on the first instance of an access type (list,
read, create, and so on) to an object. To correlate with event 560,
compare the Handle ID fields of the two events.
"Andy H." <andrew.harlan@xxxxxxxxxxxxxxxx> wrote in message
news:%23LNS0v2UGHA.4248@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
We have a Windows 2003 server with a share setup for users to access
and store documents. In the past few days we noticed word documents
disappearing from various folders within this share. When we restore
these documents from tape to these directories they remain for a couple
minutes and then poof they all disappear. Only .doc files are gone.
If we move these files to another share on the same server they remain.
When we took away delete access from the users group the files remain.
However when those permissions are reinstated the files disappear.
There is no evidence in event logs. Any ideas on how to track these
occurences?
.
- References:
- Disappearing .doc files
- From: Andy H.
- Re: Disappearing .doc files
- From: Steven L Umbach
- Re: Disappearing .doc files
- From: Andy H.
- Re: Disappearing .doc files
- From: Roger Abell [MVP]
- Disappearing .doc files
- Prev by Date: Hundreds of failed login attempts
- Next by Date: Re: Hundreds of failed login attempts
- Previous by thread: Re: Disappearing .doc files
- Next by thread: Re: Disappearing .doc files
- Index(es):
Relevant Pages
|
|
