Do You Know What Joe Did Last Summer?

Occasionally operations teams need to get asked some difficult questions. Sometimes it goes like this:

“Joe has just left the company. Don’t ask me why. I’m not allowed to say. What files did Joe have accesses to? Did he copy any of those files in the last month?”


The first question is painful to answer and the second can be almost impossible. If answers to these sorts of questions are important then preparations are crucial. You could implement standards about how data access is configured and you could turn on file system access auditing. Then you could spend a while trolling through the vast amount of data that is generated. You will need to looks at the event logs on every file server that Joe had rights on. To find that you will need to know every group Joe is a member of and every group that those groups are members of. Then you will need to know the share and file system permissions on every file server. Including the ones under desks where servers should not be.

Alternatively, you could deploy a security audit tool and then just use search for the answers. One option is Netwrix Auditor. This tool will scan your file systems and shares to see who has access to what data. Happily, Auditor will also enumerate all of the memberships of all of the groups all the way to user accounts. In this way, we can search for every file or folder that Joe can access. Auditor will also let you query the file access audit information & find every file that Joe had accessed, or deleted. As an operations guy, this was the most interesting thing I saw in the Netwrix presentation, it certainly wasn’t the whole thing. I liked that it is easy to do an ad-hoc query on the gathered audit data. The data query model seems to be fairly simple, there weren’t hundreds of fields to work out. Also, the search entry fields are also reactive, making it easier to get the right search terms together.

Personally, I associate security audit tools with tin-foil-hat wearing paranoid security people. Particularly at compliance heavy organizations that need to prove a lot of processes are being followed. But at Tech Field Day (TFD11) I did see a side of security audit that a normal system administrator could use. For more information about the Netwrix security auditor you can take a look at the TFD11 videos here. Since I saw Netwrix at TFD11 you can also check my standard TFD disclaimer here.

© 2016, Alastair. All rights reserved.

About Alastair

I am a professional geek, working in IT Infrastructure. Mostly I help to communicate and educate around the use of current technology and the direction of future technologies.
This entry was posted in General. Bookmark the permalink.