I have multiple shared folders on Windows SBS 2008 server. I need to be able to tell if a domain user is accessing these shares and copying large quantities of files to their laptop. Is there a way of turning on auditing in group policy to log an event if this occurs. Or better still can I be alerted by email if this kind of activity occurs?
Thanks,
Gary
I would forward the logs / audits to a central log server and filter out the "copy" keyword. But you could find something more native for windows. Such as kiwi (Syslog replacements for windows)
And yes, in most of the cases you can send an email if an event is happening a lot of times (30 copies in 1 minute for example)
You could also monitor the network traffic of the server, and if an ip has a lot of traffic, just block it. {Also in combination with audits you can get both the ip and the username of the leacher :>}
