In My Previous Post, The Story of DFSR Data Deletion -"Where" http://www.adshotgyan.com/2012/05/story-of-dfsr-data-deletion-where.html, I discussed how can we determine on which server our data got deleted. Now the 2nd part of this series consist of finding WHO deleted our data
The way to find who deleted the data, Is by getting an Event ID in the Security Logs which will give us the Name of the File/Folder which got Deleted and the Name of the user who Deleted that File/Folder
The Event is generated if Auditing is Enabled. Auditing is Enabled on 2 levels
1. In the Group Policy
2. On the Folder Itself
NOTE:- IF AUDITING IS NOT ENABLED ON ANY ONE OF THE ABOVE LEVELS (GROUP POLICY AND ON DATA) AND DATA DELETION HAPPENS, THEN NO EVENTS RELATED TO DATA DELETION WILL BE GENERATED. FOR THE EVENTS TO BE GENERATED, IT IS REQUIRED THAT THE AUDITING SHOULD BE ENABLED BEFORE THE DATA GOT DELETED
In this Post, we will explore the way of finding out the name of the user who deleted the Data
LAB1. Windows 2008 R2 Domain Controller : Win2kR2-DC
2. Windows 2008 R2 Member Server : Win2kR2-CA
Both the servers are hosting data which is getting replicated using DFSR
The data got deleted from the server "Win2k8R2-DC"
And the deletion is replicated on to the other server "Win2k8R2-CA"
As stated above, We should be getting an Events stating that the data has been deleted and which will also list the name of the user who deleted data along with the timestamp
On the Server "Win2k8R2-DC" where the actual deletion happened, there are no events in the security logs which states that the data has been deleted and who deleted the data
On the other server "Win2k8R2-CA" where the deletion was replicated, here also there are no logs which states that the data has been deleted
Lets move backwards..... The data is still not deleted....
We ran RSOP on the Server Win2k8R2-DC and found that Auditing was not enabled on this Server in Group Policy
We also ran RSOP on the Server Win2k8R2-DC and found that Auditing was not enabled on this Server in Group Policy
The Group Policy "Audit Object Access" is what we want to be Enabled
So lets enable the Group Policy "Audit Object Access" with "Success" and "Failure"
Please note that we are doing this in the local group policy. You can although do it at any other lever (Local/Site/Domain/OU) but then in those cases it will get applied on all the levels and thus will create logs on other servers as well which in our case will be unnecessary
So enable the policy in the local group policy on the servers hosting the data which is getting replicated using DFSR
Same thing on the other server "Win2k8R2-CA"
Now lets delete the data...
Strange... Still no Events for Data Deletion...
Friends... If you cant even read what was written in CAPS then its not my fault
NOTE:- IF AUDITING IS NOT ENABLED ON ANY ONE OF THE ABOVE LEVELS (GROUP POLICY AND ON DATA) AND DATA DELETION HAPPENS, THEN NO EVENTS RELATED TO DATA DELETION WILL BE GENERATED. FOR THE EVENTS TO BE GENERATED, IT IS REQUIRED THAT THE AUDITING SHOULD BE ENABLED BEFORE THE DATA GOT DELETED
So, we now need to enable Auditing even on the File/Folder Level. I am enabling the Auditing on the main Folder which is getting Replicated (PDFs). Remember, this is not the folder which we will be deleting. Its the folder inside this folder which we will be deleting. You can of course ask me why are we then enabling the auditing on this folder and why not on the sub folder which we are going to delete
Ok... So you mean to say that in a real time situation, the person who will be deleting the data will walk up to you to inform you that he/she will be deleting that specific file/folder so that you can enable the auditing on that file/folder.. :)
In our case, we have only one folder inside this folder, In real time, we can have thousands of folders inside the main folder. So is the doubt clear?
Security Settings of the Folder...
Auditing Tab...
Add "Everyone"... (Although you can add specific User/Groups whom you wants to monitor instead of adding Everyone)
Select All "Success" and "Failure"
Now lets try to delete the Sub Folder "My data" which is under the Main Folder "PDFs" where we nave Enabled the Auditing and Lets see if we are able to get the Event in the Event Viewer
Data Deleted....
Still No Event which will state that the data has been deleted... :(
Whyyyyyyyyyyy? And why is it giving me an Event for the main Folder "PDFs" and not for the Sub Folder "My Data"... I haven't deleted the Main Folder "PDFs". I deleted the Sub Folder "My Data" which was in the main Folder "PDFs"...
Remember where we enabled the Auditing.. I mean at which Level... It was on the Main Folder level.. So what ever happens "TO" the main folder will be recorded in the Events and not what ever happens "IN" the Main Folder will be Recorded... :)
So lets go back to the main Folder "PDFs" Security Settings -> Auditing Tab
See, there is an option "Replace all existing inheritable permissions on all descendants with inheritable permissions from this object". Select this option
NOTE: MAKE SURE YOU CHOOSE THE AUDITING TAB AND THEN SELECT THIS OPTION. FOR GOD SAKE DON'T CLICK ON THE PERMISSIONS TAB AND SELECT THIS OPTION...ELSE BE PREPARED TO WRITE AN APOLOGY...
Now lets delete the data...
And..... Here we go.....
Event ID 4663
An Attempt was made to Access the Object
Account Name: Administrator
Object Name: E:\PDFs\My Data\IPD-SQL Serevr 2008.pptx
Access : DELETE
Now lets do the same on Win2k8R2-CA Server
Remember the fact that the data was deleted and now for this lab we have restored the data and that is why we are enabling the Auditing again, Else, When you enable Auditing on a Folder on Server1, the same Auditing Settings are replicated to the other Server for that Folder. So, You don't have to Enable Auditing for the same share on 2 different servers.
Auditing and Permissions Replicates with the Share
Setting Auditing on Server Win2k8R2-CA
Deleting the data on the Server Win2k8R2-CA
Getting Event ID 4663 on Server Win2k8R2-CA
