|
Home > Archive > IIS Server Security > May 2007 > Malicious user
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| maverick 2007-05-18, 7:17 pm |
| Not sure if its the right place..but need help cracking this...Just
inherited a bad place........
Users access a certain share point site and browse a directory for a host of
folders.This afternoon one of the folders was deleted which has loads of
subfolders(as it is a sharepoint server)......now I need to find out who this
kool dude is!...
What I have now: System state backup of the Machine,SQL full backup and the
backup(SQL and System) just after the files have been deleted.
All I have is just Auditing for success and failure but nothing with object
access,didnt think if it would matter even if object acess was enabled...
now...with the given situation...how do I get to this dude???Can someone
enrich my novice knowledge please?
thanks
maverick.
| |
| Ken Schaefer 2007-05-20, 1:21 am |
| Hi,
I don't think that Object Access Auditing will help here, as Sharepoint
stores all it's content inside SQL Server..
I don't know what logging/auditing options Sharepoint has, but you may be
able to determine what Windows users were logged into at the time the delete
occured (via Windows Security Event Log). Otherwise, if Sharepoint uses a
single super-account to connect to SQL Server, you will need to see what
logs Sharepoint maintains to see who/what was doing what. If Sharepoint
conects to SQL Server as the end user, then RedGate has a transaction log
reading tool that you can use to read the transaction logs to see what user
context ran what against SQL Server...
Cheers
Ken
--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
"maverick" <maverick@discussions.microsoft.com> wrote in message
news:5E0B094E-BCCE-4D93-9366-DC630651D7B5@microsoft.com...
> Not sure if its the right place..but need help cracking this...Just
> inherited a bad place........
>
> Users access a certain share point site and browse a directory for a host
> of
> folders.This afternoon one of the folders was deleted which has loads of
> subfolders(as it is a sharepoint server)......now I need to find out who
> this
> kool dude is!...
>
> What I have now: System state backup of the Machine,SQL full backup and
> the
> backup(SQL and System) just after the files have been deleted.
>
> All I have is just Auditing for success and failure but nothing with
> object
> access,didnt think if it would matter even if object acess was enabled...
>
> now...with the given situation...how do I get to this dude???Can someone
> enrich my novice knowledge please?
>
>
> thanks
> maverick.
| |
| maverick 2007-05-23, 7:20 pm |
| Thanks for the info Ken...I may sure get onto the user context..
cheers
Maverick
"maverick" wrote:
> Not sure if its the right place..but need help cracking this...Just
> inherited a bad place........
>
> Users access a certain share point site and browse a directory for a host of
> folders.This afternoon one of the folders was deleted which has loads of
> subfolders(as it is a sharepoint server)......now I need to find out who this
> kool dude is!...
>
> What I have now: System state backup of the Machine,SQL full backup and the
> backup(SQL and System) just after the files have been deleted.
>
> All I have is just Auditing for success and failure but nothing with object
> access,didnt think if it would matter even if object acess was enabled...
>
> now...with the given situation...how do I get to this dude???Can someone
> enrich my novice knowledge please?
>
>
> thanks
> maverick.
|
|
|
|
|