Windows Server 2008 R2: How to log security events like file/folder creation and deletion on shared (network) folders?
A few files have disappeared on our shared folders. Is there any way to figure out who deleted something, and when? The server hosting these folders is running Server 2008 R2 (x64).
I'd like to implement some kind of auditing that warns me (or at least logs the event -- username, timestamp, file/folder name) when people delete files or folders on those shared directories.
I know something like this must have been implemented in the OS, I'm just not sure if it's something I have to turn on -- or, if it's already running, where to check for those logs. Thanks in advance.
-DS
March 7th, 2011 1:29pm
Please see this
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Accesshttp://www.virmansec.com/blogs/skhairuddin
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2011 2:08pm
Have a look to this article named "How to audit and track file deletions".
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner
Microsoft Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
March 7th, 2011 2:27pm
Thank you both!
Sorry I could only mark one post as "answer."
-DS
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2011 3:25pm
Please see this
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
http://www.virmansec.com/blogs/skhairuddin
Hey y'all, same issue, followed the directions in the article as well as poked at a few others. The auditing is working, I can find an event in the Security log when a file is deleted, but the problem I'm running into is it doesn't give any information as
to WHICH file was deleted.
I found this article, which is obviously based on 2003 or before, and the information from the log sample at the bottom would be perfect, but I'm not finding that event id in the logs on a 2008 R2 box and there's just a message that a file has been deleted
and who did it.
Any ideas on modding the logging?
June 25th, 2012 6:21pm