Re: Disappearing .doc files
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 30 Mar 2006 22:34:01 -0600
I agree with Roger as he is right as always. Below is an example of two
object access events that would show a file deletion and were recorded on
the computer that the file lives on. Notice how the two events have the same
timestamp and handle ID and show that user Steve deleted the file [object
name] credits.doc. --- Steve
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 3/30/2006
Time: 10:29:16 PM
User: STEVE-XP\Steve <<<<<<<<<<<<<<<<
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\fix1\CREDITS.doc <<<<<<<<<<<<<<<<<
Handle ID: 596
Operation ID: {0,4181482}
Process ID: 3912
Image File Name: D:\WINDOWS\explorer.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0x1FC171)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE <<<<<<<<<<<<<<<<<<<<<<<
SYNCHRONIZE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 567
Date: 3/30/2006
Time: 10:29:16 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Access Attempt:
Object Server: Security
Handle ID: 596
Object Type: File
Process ID: 3912
Image File Name: D:\WINDOWS\explorer.exe
Access Mask: DELETE <<<<<<<<<<<<<<<<<<
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"Andy H." <andrew.harlan@xxxxxxxxxxxxxxxx> wrote in message
news:OTnUG6$UGHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
If I audit a group will that show individual user actions or only the
group ID everytime someone acts on an object?
"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uvOMmz5UGHA.1868@xxxxxxxxxxxxxxxxxxxxxxx
Weird. You can audit those files to see if it shows a particular user
doing that. See the link below for more details and I would be sure to
just audit the two delete permissions to keep the number of object access
events down. You will also find it helpful to use Event Comb to search
the security log for specific events and text strings such as filename
and delete. If a user name is found he may have malicious software
installed on his computer or another user could be impersonating him and
not be doing it himself so keep that in mind before you fire or reprimand
him right away. As shown below Event IDs 560 and 567 will have pertinent
info.--- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640 --- note
that auditing of object access needs to be enabled on server first.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
--- Event Comb available here.
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgch04.mspx
--- excerpt copied below
Table 4.1: File Permission Change Events
Event IDs Occurrence Comments
560
Access granted to existing object
These events show where an object has successfully granted access to
a request, such as list, read, create, and delete. Check Primary Logon
ID, Client User Name, and Primary User Name fields to detect unauthorized
attempts to change file permissions. Check Accesses field to identify the
operation type. This event only shows that access was requested or
granted-it does not mean that the access took place. The acting user is
the Client User (if present); otherwise it is the Primary User.
567
A permission associated with a handle used
This event occurs on the first instance of an access type (list,
read, create, and so on) to an object. To correlate with event 560,
compare the Handle ID fields of the two events.
"Andy H." <andrew.harlan@xxxxxxxxxxxxxxxx> wrote in message
news:%23LNS0v2UGHA.4248@xxxxxxxxxxxxxxxxxxxxxxx
Hello,
We have a Windows 2003 server with a share setup for users to access and
store documents. In the past few days we noticed word documents
disappearing from various folders within this share. When we restore
these documents from tape to these directories they remain for a couple
minutes and then poof they all disappear. Only .doc files are gone. If
we move these files to another share on the same server they remain.
When we took away delete access from the users group the files remain.
However when those permissions are reinstated the files disappear.
There is no evidence in event logs. Any ideas on how to track these
occurences?
.
- References:
- Disappearing .doc files
- From: Andy H.
- Re: Disappearing .doc files
- From: Steven L Umbach
- Re: Disappearing .doc files
- From: Andy H.
- Disappearing .doc files
- Prev by Date: Re: Domain Admin removed
- Next by Date: Re: Stop syncronization of ALL roaming profiles at logout
- Previous by thread: Re: Disappearing .doc files
- Next by thread: Re: windows xp 64 admin password reset
- Index(es):
Relevant Pages
|
