0

We have an ASP Classic based web site running on IIS 8.5 and have an issue where a file is being modified and the contents of that file are deleted. It happens randomly so we suspect an ex employee still has a user account or possibly has a file on the server allowing them to modify other files.

Is there any way to track modifications/deletes of a file whether by a windows user or a specific file running on IIS?

Tommy Arnold
  • 101
  • 3

2 Answers2

1

File system auditing has been in Windows NT since around 1993, in the security properties of the file, enable auditing, then you can check the Windows Event logs for any access to the file.

TechNet article

Peter Hahndorf
  • 14,058
  • 3
  • 41
  • 58
  • the intruder could disable auditing, do evil things, enable auditing again... – Fabian Jan 13 '18 at 16:51
  • @Fabian - true, which itself is logged, but you are right an this is not bullet proof. But you are assuming there is an intruder or malicious user, this may not be the case and auditing file access is a good start to find out who edited the file. – Peter Hahndorf Jan 14 '18 at 16:28
  • its not my assumption, OP wrote "suspect an ex employee still has a user account". And "doing evil things" includes deleting traces/manipulation of logfiles. If intruder is smart, nobody will notice it. – Fabian Jan 14 '18 at 22:16
0

Sounds like a job for an intrusion detection system (IDS). Keep in mind: it is useless to install an IDS on an apparently already compromised server. The intruder can detect it and adapt his behavior. I recommend to change logins and use a DMZ to set up a new server with an IDS.

Fabian
  • 397
  • 3
  • 17