Home > Operation and Maintenance > Windows Operation and Maintenance > Detailed explanation of turning on the audit function in Windows to record file deletion operations

Detailed explanation of turning on the audit function in Windows to record file deletion operations

黄舟
Release: 2017-05-26 11:04:41
Original
6334 people have browsed it

Problem description:

Some files on the Windows machine were abnormally deleted and packaged. Intrusion suspected. How to troubleshoot.

Problem Solution:

1. Configure Group Policy

Select "Run" from the Start menu to open "Group PolicyEditor

Detailed explanation of turning on the audit function in Windows to record file deletion operations

Navigate to [Computer Configuration]--[Windows Settings]--[Security Settings]--[AdvancedAuditPolicy Configuration]--[System Audit Policy]--[Object Access], double-click [Audit File System] on the right, check [Define these policy settings] and [Success] items and [Failure] items do not need to be checked.

Detailed explanation of turning on the audit function in Windows to record file deletion operations

2. Add audit directory

Right-click the folder that needs to be audited, select [Properties], and then switch to [ Security] tab, click the [Advanced] button, switch to the [Audit] tab in the new dialog box, add users and groups to be audited, and check and delete related items in [Audit Projects] . It is necessary to audit everyone's deletion actions of the folder and subfolders.

For example, the C:\tmp configuration in the test environment is as follows:

Right-click the directory C:\tmp and select [Security]->[Advanced], select [Audit], and then add, for the subject [everyone], review [Delete subfolders and files] in the advanced permissions, [Delete] 2 items

Detailed explanation of turning on the audit function in Windows to record file deletion operations

Additionally, to increase the size of the security log, in the Event viewer, right-click Security and set the log size to 120512KB

Detailed explanation of turning on the audit function in Windows to record file deletion operations

3. Test, delete C:\tmp\testfile.txt, and then find the record with event ID 4646 in the security log as follows, which shows that the administrator user performed the operation through explorer.exe.

The above is the detailed content of Detailed explanation of turning on the audit function in Windows to record file deletion operations. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template