Shared files deleted from server

March 11, 2009 at 09:00:20
Specs: Win Server 2K3
I work for a law firm and yesterday several sensitive folders and files were deleted from our server, and we've narrowed it down to two possible people. One is our employee, and we restricted her network access to read only just in case, but her involvement would have been just a dumb mistake, not intentional. Unfortunately it seems more likely that our IT contact has been allowing a rather underhanded client remote access to our server. Is there a way to find out for sure who deleted the files and how often our server has been accessed remotely? We don't want to take any action without proof, and since it's possible it could have been user error by a rather dense employee, we can't risk unfounded accusations.

See More: Shared files deleted from server

Report •

March 11, 2009 at 09:22:06
The "Event Log" should show you when remote connections were established. If you have auditing enabled, then the Event Log may also show details on who deleted the files. However, auditing is not retro-active, so if it was not on at the time, you really can't tell who deleted the files.

If you need to recover the files, you might want to read this article:

It sounds like you have a serious security problem. There is no reason clients should have access to your server, nor is there a reason why a "thick" employee should be able to just go on a deleting spree. You should get in contact with a competent IT firm, and have them analyze and fix your server security.

-Ryan Adams
Free Computer Tips and more:

Paid Tech Support: Black Diamond

Report •

March 11, 2009 at 09:34:17
Thanks. We recovered the files from the tape backup of the previous night. We made very clear that the client should have no access to our server, but our IT person also does some work for them. It's a very complicated situation, but it boils down to the fact that we trusted the integrity of the IT person, but there is mounting evidence that we were wrong to do so. The bigger problem I see is that this person seems to have removed my direct login from the server. I was previously the only one in the office with an actual login for the server. I'm still an admin on all the computers (which is how I removed the employee's modification privileges), but I can't access the event log on the server. Now the IT person has had ample time to erase any tracks left. Great.

Report •

March 11, 2009 at 09:40:20
You need to call this IT person to the server room and get your administrator access back again. Create another admin account with a password only you know in addition to your account.

Once you have done so you need to physically unplug the device providing remote access and then fire this IT person.

Then hire a IT company to come in and do a security audit while you look for a new IT person..

Document everything because you may wish to file criminal charges against the former IT person.

Report •

Related Solutions

March 11, 2009 at 11:08:56
Since the IT person only accesses our server remotely, I have the IP address she always logs in through. Is there a way to track when and how often she's logged in through that IP? I know one thing for sure, the IP is in the name of the client.

Report •

Ask Question