File Server Audit/log?

We are running a file server with Server 2003. Nothing special, just hosts all the shares. I was wondering what I need to do to enable an audit of the server. Specificly to check what user deleted half the Marketing files, or accidentally dragged them into the schedules folder; I believe this makes the point. I know this can be done by changing a Security Policy on the server, but I dont know which policy nor how to view the audit once enabled. Obviously Im completely dark on this. Anyone know what Im trying to get at?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

SouthSeaPirate

Thanks for the link. I believe this one is very clse to what Im looking for: "Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files." It does say success, falls short at read/write. Im thinking I would need something along the same lines but with Modify and Delete. Maybe Im wrong?

SouthSeaPirate

So same concept. Hopefully 2003 is close enough for this document to help. We shall see tomorrow. Thanks +rep!

SouthSeaPirate

Unfortunately this doesnt help. I need to see what is deleted, by whom...

SouthSeaPirate

Anyone? Still at a loss here.

Churritos

You'll probably need a third-party tool if you want to seriously audit changes to your file server-- the native logs don't offer any filtering of reporting capabilities. We had someone delete a ton of financial documents last year so we looked at NetWrix File Server Change Reporter and Quest ChangeAuditor for File Servers. Both are good tools and will send automated reports that will tell you who is deleting your files.