Questions

How to set log files on Windows Server 2003?

Tags:
+
0 Votes
Locked

How to set log files on Windows Server 2003?

RayFoxxe
We have a computer server in our company that's running on Windows Server 2003. And lately, it has been detecting a lot of infections in the system itself. It wasn't infections that came from internet or network since we're pretty confident of our anti-virus program. (Symantec Antivirus). But, we suspect that one of our IT team members is the one responsible for this infection. We suspect he's plugging in an infected removable drive/USB device and disabling the anti-virus system so that he can download/upload his files on our system (we suspect him to be doing some unprofessional things, but since he's an IT too, he knows how to remove history logs). We're wondering if there's a way to trace recent computer activity on our server. Besides using the Event Viewer from Windows Computer Management Console. Any suggestions?

Clarifications

robo_dev

So you think he's plugging USB directly into the server itself? (idiot)

You need to implement a process to forward the event and security logs to another server.

Turn on the audit-log features you need
http://support.microsoft.com/kb/814595

Also, I would set things like USB to be disabled, so that it would leave an audit log entry when he started the plug and play and USB services.

http://nsi.arcert.gov.ar/webs/textos/ntaudit.pdf

http://technet.microsoft.com/en-us/library/ee176696.aspx

  • +
    0 Votes
    RayFoxxe

    We can't do that, we need it left on because we also use USBs to transfer data and files when we're editing the server system. We already tried audit-logging but we need a much more accurate data besides knowing when the USB is plugged and what files were taken or programs accessed. We need to know which USB device it is, like the name of the USB as it appears on the computer.

  • +
    0 Votes
    RayFoxxe

    We can't do that, we need it left on because we also use USBs to transfer data and files when we're editing the server system. We already tried audit-logging but we need a much more accurate data besides knowing when the USB is plugged and what files were taken or programs accessed. We need to know which USB device it is, like the name of the USB as it appears on the computer.