TechRepublic|Forums|Security

Security

General discussion

  • Creator
    Topic
  • November 30, 2004 at 8:39 am #2288401

    Prankster in Office

    Locked

    by conways · about 19 years, 4 months ago

    Hope someone can help! For the last 2 years, we have had someone deliberately moving/deleting files on the shared network. We run on Windows 2000, and have tried to catch the culprit using the built-in audit facility. It was useless; it shows who creates and deletes, but not moves. Is there any software that can be loaded into our domain to list exactly who did what when? And what are the privacy implications? – staff have been told there’s an audit running already.
    Thanks in Advance.

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Comments

  • Author
    Replies
    • November 30, 2004 at 8:53 am #3314594
      Avatar photo

      Well the obvious has been tried

      by hal 9000 · about 19 years, 4 months ago

      In reply to Prankster in Office

      So I would say you are looking for someone with a certain amount of knowledge or a glitch in the system.

      What you have to remember is that computer systems used by Governments are not chosen for the best workings/equipment but generally chosen on price by some bureaucrat who doesn’t understand that what they approve may not be the right equipment/software combination for the required job.

      Without knowing a lot more about the hardware/software combinations involved I would not like to even hazard a guess as to what is going on. But if really pushed I would tend to look toward the automated backup system in place.

      On the privacy front however there is not an issue as any work that is performed on an employers computer system is their property and they have every right to look at everything. It was not all that long ago that Government workers where terminated for having unsatisfactory data on their workstations or sending inappropriate e-mails to others.

      If there was a believed privacy right implied it would then be possible to leak sensitive Government data to outside sources and the culprit could not be caught as the Superiors would not have the right to even look to see what was being done with their computer systems. Or for that matter if an individual was actually doing their work. With the files being moved around it is in your best interests to not worry about this as you are protected if anything happens as you can always claim that whatever got moved somehow and you where not responsible. However if you are the Sys Admin it is a different story but again you can only administer the hardware/software you are given and can not be expected to write code for any flaws in the supplied system.

      Col

    • November 30, 2004 at 11:43 am #3314536

      Auditing Files and Folders

      by bfilmfan · about 19 years, 4 months ago

      In reply to Prankster in Office

      You can indeed audit who is moving those folders with Windows 2000 audit capabilities. You would want to audit Audit Privilege Use for success, failure and Audit Object Access for success, failure.

      Since you wouldn’t want a monstrous number of events, I would recommend monitoring the particular files that are being moved to different locations.

      Details are available here:
      http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/13w2kadc.mspx

      You could use a role based access control model to prevent this from happening.

      Windows Security Website has a lot of good tips on accomplishing this:
      http://www.windowsecurity.com/

      • November 30, 2004 at 12:27 pm #3314515

        One more step

        by gralfus · about 19 years, 4 months ago

        In reply to Auditing Files and Folders

        This may not be necessary, but once the account is discovered, you need to verify who was actually using the account. If someone leaves their password on a sticky-note, it is little problem to use that account to do one’s pranks or other dirty work.

    • February 13, 2005 at 2:43 am #3337965

      May be innocent

      by choppit · about 19 years, 2 months ago

      In reply to Prankster in Office

      The cause may not be deliberate at all. I have a user who regularly complains that his files have been (re)moved. This happens because the user cannot co-ordinate his hand to control his mousepad properly (I’ve seen it happen). He therefore inadvertantly drags, drops, deletes and renames files. In the past I’ve seen seen his home folder grow dramatically overnight because hes managed to create multiple copies of a 1.5GB .pst file.

      • March 17, 2005 at 5:59 am #3352271

        All users are equal but different

        by gunnar klevedal · about 19 years, 1 month ago

        In reply to May be innocent

        My advice: Instead of double-clicking, try right-clicking and find something good in PopUpMenu.

        Instead of dragging try Right-click, copy/cut and then Right-clck, paste.

        Tribute goes to John Socha, FAT16 hero

    • March 17, 2005 at 12:48 am #3352346

      How many users?

      by ruairi · about 19 years, 1 month ago

      In reply to Prankster in Office

      If you dont have a huge number of users, or better you can narrow the culprit down to a couple of users, thought about a Keylogger?

    • March 17, 2005 at 5:48 am #3352284

      Shared data… User permissions

      by gunnar klevedal · about 19 years, 1 month ago

      In reply to Prankster in Office

      If you have a disk or partition with shared data, and each end user has a private partition with his own files, there shouldn’t be a problem. And if the shared partition has separate folders with different write permissions for groups of users / departments, there would be no problem. There would be no incentive and no desire to move files around. Prankster or no prankster.

      Gunnar Klevedal

  • Author
    Replies
Viewing 4 reply threads