Solved

How do I monitor a user?

Posted on 2003-12-06
13
268 Views
Last Modified: 2010-04-14
My boss is suspecting a user in my company of performing illegal activities.
I have a windows 2000 activie directory domain and the clients are windows xp.
I need to be able to monitor the activities of the user to determine and collect information for legal actions.
I would like to be able to do something like a screen shadow of the user's account, without the user knowing.
The boss is concerned that if we don't do something the company will be held liable.
any help would be appreciated
thank you
0
Comment
Question by:microcrashboy
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9889109
HOW TO: Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549

HOW TO: Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640
0
 
LVL 65

Expert Comment

by:SheharyaarSaahil
ID: 9889271
may the these products help u.....but they are not free ;)

http://www.spytech-web.com/
0
 
LVL 10

Accepted Solution

by:
KingHollis earned 500 total points
ID: 9891450
I know you may not be completely at liberty to say, but what resource on your network is this user using to perform the alleged illegal activities?

Simply shadowing him/her isn't going to save you legally. Auditing as CrazyOne is suggesting is an excellent method if the user is accessing files or performing malicious activities against your network-- but are still excellent tools in building your case. But if this illegal activity is taking place using the Internet or email, shadowing nor auditing will be sufficient. [There are logs for both that can be used for AAA.]

Before getting too deep into this, I highly recommend setting up a company approved logon message warning all users that all use of company computers are subject to monitoring and that illegal and/or improper use will result in disciplinary action. And having users sign off on an acceptable use policy via HR would be meaningful as well. Of course, I realize that all of this would probably alert your suspect, but it is good for future reference and is the kind of stuff that will leave you legally up the creek if you try to prosecute this user without it.

A simple solution might be to force all users to change their passwords [or just the department this user is in] as a way of covering up your changing his/her password and snooping for evidence after he/she is gone for the day. If they're not clever enough they will have left IE histories, cookies, sent or deleted items in Outlook, etc.

Bottomline is this: If you boss has enough suspicion to believe that the user is really up to something, any intervention he takes is justified-- this is company equipment. Clandestine stuff like spyware seems cool, but it's not gonna hold water in a legal battle.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9892175
Although you could set up a camera that strategically watches what the individual is doing with the computer. Many companies do this now. Some make it obvious in that they don't hide the cameras and other companies find ways to hide the camera. Look at Las Vegas  they have what is commonally known as the eye in the sky watching the gambling floor and other hot spots and watching the employees.

If you make the camera so it is seen then this would probably curtail the individuals desire to continue their ill gotten ways which I would think would be the top priority here. If you are interested in terminating their employeement because of what you suspect they are doing then try and hide the camera in such a way that at least you can see the persons monitor.
0
 
LVL 44

Expert Comment

by:CrazyOne
ID: 9892183
Or use something like his

KeyGhost Hardware Key Logger
http://www.keyghost.com/
0
 
LVL 10

Expert Comment

by:KingHollis
ID: 9892206
Also, if you are willing to part with the dosh, you could get Microsoft SMS. This way you have a legitimate tool for other many useful control management tasks, but it also comes with a remote control feature that you can configure to not require the user's intervention. This allows you to effectively watch any session on-screen without the user's knowledge. I used this in an incident similar to yours as part of a larger case being built. But I have to stress that you have to have your legal ducks already in a row and use other presentable, unalterable, accounting logs. Think lawsuit.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:microcrashboy
ID: 9893143
I have been assured by the boss that all legal matters have been address, my mistake all employees do sign disclaimer and are warned about actions, with using company equipment for other than bussiness use.

It is somehting to be honest I have bee seriously dreading and hate doing, but I am as they say in the middle! This is the part of the job I hate.

The password is not an issue it is downloading well illicit materials and sending via e-mail he figures, because we have had compalints, but nothing substaintial yet.
0
 
LVL 1

Author Comment

by:microcrashboy
ID: 9893152
oh and...

Camera I would prefer to completely avoid I am trying to use all my influnce to convince the boss to avoid doing this.

It always takes one person to wreck the privileges for all.
0
 
LVL 10

Expert Comment

by:KingHollis
ID: 9893274
Microcrashboy,

I feel you. We had a similar situation at one of my locations. Fortunately, the boss understood that "boys will be boys" and we confronted the guy and explained that our primary concern was that the sites that generally posted this material were often harbingers of viruses and malware and that our interest was in protecting the network and not busting him. He was very embarrased and apologetic, and we've not had a problem since.

Another approach to handling this situation delicately would be to purchase some sort of web filtering software like Websense and simply restrict the sites he going to. Surely he won't be bold enough to approach you about sites he can't get to! You can do the same with email filtering software. You could even freeze the mail queue and scan the suspect mail he sends rejecting with NDS reports. Again, it will be unlikely that he will approach you about not being able to send this type of email.

These are all around the way methods that don't address the heart of the situation. This is less a technical issue than it is a business and management issue. Do what I suggested and search his computer after hours and scour his machine for evidence-- if he doesn't suspect you are on to him he will undoubtedly be a bit careless. Then have management confront him with the knowledge of his activities. Suggest that they warn him and tell him that his activities are being closely monitored and documented [even if they aren't-- he won't know fully what you are capable of monitoring or how]. And then follow through with termination if there is ever evidence of such a breech again.

Point is you are being used as a tool of management. If they want you to be able to do this type of routine monitoring [which you should!] then the resources have to be allocated.

I'm sure others will be able to offer you a ton of solutions to install to trap this malcontent, so you can take it from there.

Best of luck.
0
 
LVL 1

Author Comment

by:microcrashboy
ID: 9893297
thanx for the advice much appreciated :)
0
 
LVL 10

Expert Comment

by:KingHollis
ID: 9926622
microcrashboy,

Thanks for the consideration! What ended up happening?
0
 
LVL 1

Author Comment

by:microcrashboy
ID: 9927917
Boss caught him bye bye he go :)
0
 
LVL 10

Expert Comment

by:KingHollis
ID: 9928816
Play with fire, expect to get burned!
Best of luck!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
What is Backup? Backup software creates one or more copies of the data on your digital devices in case your original data is lost or damaged. Different backup solutions protect different kinds of data and different combinations of devices. For e…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now