Windows Server Files Auditing - Tracking File Tampering/ Data Loss prevention

[karthikaravind]

We anticipate threats like files being deleted from servers by disgruntled employees.

1. Can someone suggest what preventive measures that can be implemented ? (DLP implementation is in pipeline, but would like to see if there are alternate measures)

2. If somehow files are deleted, we would like to know who has done this. We already have Log monitoring in place on those servers, but would like to know what logs or specific audit events that have to be turned on so that the logs generated are effective when an incident occurs ?

We have Server 2008 and Server 2012 in our environment

 

[Neemobeer]

First an foremost have a good backup schedule in place will save you from this.
You could also enable VSS for quick rollbacks.
Separation of duty
Mandatory vacation (if you suspect something strange is going on)

The GPO you would want to enable is Audit object access – Success under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policy. That will audit file changes, deletions etc.

 

[BIGBEARJEDI]

Additionaly physical security may also be helpful. When we had separated employees for cause or no, we immediately disabled their electronic keycard badges to restrict them from physical access to the Corporate HQ building where the data center was housed whether or not they worked in the HQ building or were in a satellite office such as a sales office in another state or country. This is similar to the "separation of duty" that neemo mentioned. On most data centers they have keypad locks or biometric entry measures (for secure or classified facilities) such as fingerprint, palm-print, or retinal-scan. Modern facilities require keypad code changes to the data center door locks if any employee was ever given physical access to that data center--even if it was only 1 time.

You'd also want to work with your Security, Facilities, or IT management to review camera surveillance footage in the data center, secure or otherwise, for a period of 1 day to 6 months or so. This takes some resources, so if you or any of your management suspect a recently separate employee you may have to assign or outsource additional resources to physically review security camera footage on a daily or weekly basis to see if that suspected employee ever gained access to the data center or the building it was in. For example, if the camera footage showed the employee came back 3 weeks after separation and was in the building where the data center was, unescorted or not, he/she might not have had authorization to even be there. Finding if that person was in that building post-separation could be a red-flag early warning that they were attempting to breach the data center security.

If you have a decent in-house security staff, or an outside agency, they should have entry/access logs on sign-in clipboards even if the employee or visitor comes in after hours say, after M-F 6AM-6PM, or at any time on the weekends when staff is light and skeleton crew is working. We had multiple employees who worked in the daytime, who we found were accessing our building after hours 12AM-5AM and were walking out of our building with stolen laptops. It took us weeks to find and identify the perpetrators. It turned out that they weren't even separated from the company; they were employees in good standing who took advantage of holes in our security grid.

Best of luck,
<<<BIGBEARJEDI>>>

 

[karthikaravind]

Hello,

Thanks for both the replies. the servers are located in a physically secure location. so physical security is taken care of. Moreover, employees do not have physically access to the server.

We do have backups as well taken on a weekly basis and incremental on daily basis.
We are looking at audit policies that have to be enabled so that if some one tampers with a file, then we need to be aware of.

so, I guess enabling Audit object access should be the solution.

Another related question, Apart from enabling this GPO setting, should something be enabled at the folder/file level ? I am referring to the Auditing tab in Folder -> Right Click -> properties ->Security -> Advanced -> Auditing ?