How to tell if someone is accessing files

[mquinn0908]

I have a departmental directory with about 15 people that have access to it. This directory holds active case files for our Sheriff's dept that all the investigators have access to. One of the users is concerned that another user accessed some case files and divulged information that they shouldn't have. Since all the users in this group have access to this directory is there any way to find out exactly who opened the files? Thank you.

Mandy
MCP/A+/Network+

 

[MakeItSo]

Hi Mandy,

I don't know of any method to verify this in retrospect.
You might however be interested in the FILE_NOTIFY_CHANGE_LAST_ACCESS notification.
Here's some C++ code using this and other notifications for spying a file system:

http://www.codeproject.com/KB/files/FileSpyArticle.aspx

There are also VB equivalents, for example here:

http://vbcity.com/forums/t/768.aspx

You could use that notification as trigger to write the accessing IP address / computer name to a log file. As this obviously happens in a domain network, you should also be able to log the account name of the person currently logged in.

Hope this helps.

Cheers,
MiS

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell

 

[Zipster]

Hi,

If you switch on full logging under the Group Policy (gpedit.msc) and look under Security Settings you can log file access.

I know this won't help you now, but may save you some hurt in the future.

Computer repairs in London rebootthat.com

 

[GrimR]

You could set security on the file if they should not have access to it.
Or it they MS office documents you could use IRM

http://office.microsoft.com/en-us/s...agement-to-a-list-or-library-HA010154148.aspx

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP

 

[mquinn0908]

What I ended up doing was I went in to the local policy - audit policy and enabled audit object acces (success and failure) and then enabled the auditing on the directory in question. This does not help me in the issue of trying to figure out who access this particuar file in question (because the policy was not enabled at the time) but it will help in the future if this were to come up. I can now go into the event viewer security log and it shows me anytime a file is accessed in that directory. Thanks for all of the suggestions!

Mandy
MCP/A+/Network+

 

[HPMatt]

Yea, I'd say object success/failure too, that's the best way...

 

[Roadki11]

Don't forget to increase your log size. With all the object accesses logging you will overwrite the log quickly and have very little history.

RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen

 

[mquinn0908]

Okay I have enabled the logging and I have been watching it for a few days to see what we get. I have increased my log size to 1GB but it gets to 328MB and starts overwriting events so I am only keeping about 2-3 days of events. Is there anywhere else I need to set the size of the log file? Thank you.

Mandy
MCP/A+/Network+

 

[GrimR]

Maybe think of using a backup utility to backup and clear your logs.
Either with GPO adm template 'petri', vbscript or pstools [PsLogList]
or
Netwrix event log manager or Event log explorer which has a backup feature, both free

MCITP:EA/SA, MCSE, MCSA, MCDBA, MCTS, MCP+I, MCP