![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
- Configure File System Auditing: Navigate to the required file share, right-click it and select “Properties” Select the “Security” tab → “Advanced” button → “Auditing” tab → Click “Add” button: Select Principal: “Everyone”; Select Type: “All”; Select Applies to: “This folder, subfolders and files”; Select the following “Advanced Permissions”: “Delete subfolders and files” and “Delete”.
- Configure Audit Policy: Run gpedit.msc, edit “Default Domain Policy” → Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy: Audit object access → Define → Success and Failures.
- Configure Advanced Audit Policy: Go to “Advanced Audit Policy Configuration” → Audit Policies → Object Access: Audit File System → Define → Success and Failures Audit Handle Manipulation → Define → Success and Failures.
- Configure Event Log Size: Go to Event Log → Define: Maximum security log size to 4gb. Retention method for security log to Overwrite events as needed.
- Check Security log: Open Event viewer and search Security log for event id 4656 with “File System” or “Removable Storage” task category and with ”Accesses: DELETE” string. ”Subject: Security ID” will show you who has deleted a file.
- Use case video: http://www.youtube.com/watch?v=sfLzqGk57vk
Originally published at The Scotto Grotto. You can comment here or there.
