# Monitoring File Permission Changes on Server 2003



## MasterNe0 (Jun 24, 2003)

Hi, 

We have a server 2003 that is also a file-server with several shares. Recently, file permission has been changed causing some folders to be hidden by unknown origin.

Is their a way for me to figure out how to tell who or what changed the file permissions on these certain shared folders? I have looked online and I know their are paid software that can see this but was wondering if their a faster and cheaper route.


----------



## AtlasG (Oct 13, 2012)

How many people do you give admin rights to the box? That would be the problem. You can't find out what admin user did what and when.


----------



## MasterNe0 (Jun 24, 2003)

No one has admin on the box itself. I think the problem is from either a virus or someone that accidently overridden the permissions by accident.

The folder permission has been given everyone full rights to edit and add/delete files from this folder as it a company shared directory. Their over 40+ people using these files so i am trying to find the best way to monitor permission changes to see who might be doing it.

I know about the security audits but it a pain trying to looking through thousands of event logs for one out of place one.

I just want to know who might have created or modify a folder permission if possible.


----------



## AtlasG (Oct 13, 2012)

Who's responsible for this server? You really need a trained, experience server admin. You don't let everyone in the company have rights to delete files and make permissions changes to everyone else's folder. Wow. I'm surprised you haven't had major problems before. You don't need monitoring. You need good administration.

You can't go back in time and find out which one of the 40+ people messed with your server or if it was some kind of random permission-changing virus (unlikely).


----------



## MasterNe0 (Jun 24, 2003)

I am asking for a way to monitor the file structure, not your opinion on how it been setup or the system administrators doing this as it been like this for most companies I work for and their hasn't been a big problem.

It a system-wide issue in terms of everyone messing with other people files. It a specific folder and the subfolders (not the files itself within these folders as they remain untouch).

Windows should have a way to monitor these kinds of activities of folder creation and deletion. We can recover files that are delete but I am just trying to narrow down what might have cause these files to have the hidden attribute hidden.

I know about security audits - I was wondering if their is a way to take these audit files and put them in a way to go through them with ease.


----------



## AtlasG (Oct 13, 2012)

So instead of actually fixing the problem so people can't mess with the permissions, you want to know who is making what changes so you can go yell at them. That makes sense. NOT.


----------



## peonowns (Apr 16, 2012)

I agree with what Atlas g has said but also agree most small private companies are set up the way MasterNeo explains (to there detriment usually).

Anway bak on topic,

You have knowledge of secuirty audits so i would suggest forgetting these past errors as you will have to pay £100's for something like auditplus or the like ( i have not used them before so can't reccomend any)

Why not make your own audits on the most likely, so next time you will capture the info and can take easier action.
*Configure Auditing for Specific Active Directory Objects*

After you configure an audit policy setting, you can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit. To configure auditing for specific Active Directory objects:
Click *Start*, point to *Programs*, point to *Administrative Tools*, and then click* Active Directory Users and Computers*.
Make sure that *Advanced Features* is selected on the *View* menu by making sure that the command has a check mark next to it.
Right-click the Active Directory object that you want to audit, and then click *Properties*.
Click the *Security* tab, and then click *Advanced*.
Click the *Auditing* tab, and then click *Add*.
Complete one of the following:
Type the name of either the user or the group whose access you want to audit in the *Enter the object name to select* box, and then click *OK*.
In the list of names, double-click either the user or the group whose access you want to audit.

Click to select either the *Successful* check box or the *Failed* check box for the actions that you want to audit, and then click *OK*.
Click *OK*, and then click *OK*.
 pEoN


----------



## MasterNe0 (Jun 24, 2003)

peonowns - I know Atlas has a point but yes, most of the companies we work for are setup the same way but with certain areas where they are not allowed access to such as financial data. 

I am not agreeing or disagreeing with his views and no, I am not going to go yell at people or at whoever doing the permissions changes, I am wanting to see who or what might be doing it so I can make recommendations on changes or ways to prevent it later on. If it a virus, then I can work on that single machine rather then on 40 different machines.

Also I enabled the audit policy under the default domain controller policy and also enabled it for the shared folder that getting affected but the object access category is not showing up on the event viewer logs.


----------



## AtlasG (Oct 13, 2012)

I'm a *she* not a a *he*.

I've never heard of a virus randomly changing file permissions on a server. It would be a wide-spread total server issue. Does that mean aside from letting everyone make whatever changes they want, you're not running enterprise class anti-virus software on all the computers and servers?


----------



## peonowns (Apr 16, 2012)

Windows doesn't immediately begin auditing all access events for all objects because the system would immediately grind to a halt is what a few windows forums are saying how long has it been?.


----------

