We are a small business with one server in the office and 10 workstations. Two weeks ago our internet service was down from Thursday night (or Friday morning) to Monday morning. When the ISP technician finally showed up on Monday, he said it was the modem (he had to replace a part). An on-call IT/computer repair tech said the switch needed to be replaced as well. When we finally had internet access we found out that ALL the files including a large DB2 database had been deleted from the server. Apparently someone had accessed the server sometime between Thurs night/Friday morning and Monday and deleted all the files, either from the office or via remote desktop. We have on-site and online backup, but our server admin (the office manager/accountant) said that the external hard drive used for daily backups also failed and no backup had been done for weeks. So, we had to restore some 450gb from online backup and it's still going. The IT/computer repair tech is convinced it's a disgruntled employee, but he doesn't know if it's possible to determine who did it - he said he doesn't have the expertise. Our server admin said "everyone" in the office could have logged in and deleted all the files - which I know is not true because she's very strict with user permissions - and audit was off as well. The ISP said they wouldn't have any information. Our online backup service (incremental backup every night) said it might be possible to determine when all the files were deleted by checking the backup logs and server logs. Our boss wants to find out who did it and obviously we need to secure our server as soon as possible, but since the office manager is not very cooperative nothing has been done so far. The server is as vulnerable as ever and there's nothing we can do about it. My questions: Would it be possible to determine who did what and when? Who should we hire? A network security consultant? We're in San Francisco. Do we need the server logs (online backups are deleted after 30 days)? Do we need access to the server admin's computers? She has a desktop computer as well as her personal laptop which she uses at work. We need to secure our server, and our boss could be the new server admin so he could reset the password (right now only the office manager has the password) and user access, etc. Do we need a network security consultant for something like that? Any advice would be much appreciated. Thanks!

Hi, Firstly, please scan your server for viruses and malwares. Clean any suspect files after the scan. If it works, then delete any illegal users. Next, make sure you are performing all the required security stuff: 1. Change Administrator password first, and only logon with Administrator rights to perform administrative tasks. 2. Keep your system up to date. Install all latest update of Microsoft. 3. Never install or launch additional software just for testing or for fun. Decided to install anything, take it from the trusted source. Best Regards, AidenAiden Cao TechNet Community Support

Hi, Firstly, please scan your server for viruses and malwares. Clean any suspect files after the scan. If it works, then delete any illegal users. Next, make sure you are performing all the required security stuff: 1. Change Administrator password first, and only logon with Administrator rights to perform administrative tasks. 2. Keep your system up to date. Install all latest update of Microsoft. 3. Never install or launch additional software just for testing or for fun. Decided to install anything, take it from the trusted source. Best Regards, AidenAiden Cao TechNet Community Support