General discussion

Locked

Prankster in Office

By conways ·
Hope someone can help! For the last 2 years, we have had someone deliberately moving/deleting files on the shared network. We run on Windows 2000, and have tried to catch the culprit using the built-in audit facility. It was useless; it shows who creates and deletes, but not moves. Is there any software that can be loaded into our domain to list exactly who did what when? And what are the privacy implications? - staff have been told there's an audit running already.
Thanks in Advance.

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Well the obvious has been tried

by HAL 9000 Moderator In reply to Prankster in Office

So I would say you are looking for someone with a certain amount of knowledge or a glitch in the system.

What you have to remember is that computer systems used by Governments are not chosen for the best workings/equipment but generally chosen on price by some bureaucrat who doesn't understand that what they approve may not be the right equipment/software combination for the required job.

Without knowing a lot more about the hardware/software combinations involved I would not like to even hazard a guess as to what is going on. But if really pushed I would tend to look toward the automated backup system in place.

On the privacy front however there is not an issue as any work that is performed on an employers computer system is their property and they have every right to look at everything. It was not all that long ago that Government workers where terminated for having unsatisfactory data on their workstations or sending inappropriate e-mails to others.

If there was a believed privacy right implied it would then be possible to leak sensitive Government data to outside sources and the culprit could not be caught as the Superiors would not have the right to even look to see what was being done with their computer systems. Or for that matter if an individual was actually doing their work. With the files being moved around it is in your best interests to not worry about this as you are protected if anything happens as you can always claim that whatever got moved somehow and you where not responsible. However if you are the Sys Admin it is a different story but again you can only administer the hardware/software you are given and can not be expected to write code for any flaws in the supplied system.

Col

Collapse -

Auditing Files and Folders

by BFilmFan In reply to Prankster in Office

You can indeed audit who is moving those folders with Windows 2000 audit capabilities. You would want to audit Audit Privilege Use for success, failure and Audit Object Access for success, failure.

Since you wouldn't want a monstrous number of events, I would recommend monitoring the particular files that are being moved to different locations.

Details are available here:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/13w2kadc.mspx

You could use a role based access control model to prevent this from happening.

Windows Security Website has a lot of good tips on accomplishing this:
http://www.windowsecurity.com/

Collapse -

One more step

by gralfus In reply to Auditing Files and Folder ...

This may not be necessary, but once the account is discovered, you need to verify who was actually using the account. If someone leaves their password on a sticky-note, it is little problem to use that account to do one's pranks or other dirty work.

Collapse -

May be innocent

by Choppit In reply to Prankster in Office

The cause may not be deliberate at all. I have a user who regularly complains that his files have been (re)moved. This happens because the user cannot co-ordinate his hand to control his mousepad properly (I've seen it happen). He therefore inadvertantly drags, drops, deletes and renames files. In the past I've seen seen his home folder grow dramatically overnight because hes managed to create multiple copies of a 1.5GB .pst file.

Collapse -

All users are equal but different

by Gunnar Klevedal In reply to May be innocent

My advice: Instead of double-clicking, try right-clicking and find something good in PopUpMenu.

Instead of dragging try Right-click, copy/cut and then Right-clck, paste.

Tribute goes to John Socha, FAT16 hero

Collapse -

How many users?

by ruairi In reply to Prankster in Office

If you dont have a huge number of users, or better you can narrow the culprit down to a couple of users, thought about a Keylogger?

Collapse -

Shared data... User permissions

by Gunnar Klevedal In reply to Prankster in Office

If you have a disk or partition with shared data, and each end user has a private partition with his own files, there shouldn't be a problem. And if the shared partition has separate folders with different write permissions for groups of users / departments, there would be no problem. There would be no incentive and no desire to move files around. Prankster or no prankster.

Gunnar Klevedal

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums