Security Auditing
Currently have a NT domain with win2k workstations and win2k servers. We will be moving to AD shortly..
Company needs a very detailed audit track of all users activities on the pc and servers. I have the Mail and Web tracking covered but i need more detail on users activities when it comes to files on the server and locally..
Besides turning on all the Security Event in AD would a keylogger make more sense...
Any suggestions on best practices greatly appreciated
thx
John
Company needs a very detailed audit track of all users activities on the pc and servers. I have the Mail and Web tracking covered but i need more detail on users activities when it comes to files on the server and locally..
Besides turning on all the Security Event in AD would a keylogger make more sense...
Any suggestions on best practices greatly appreciated
thx
John
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I agree with you on the keylogger, it just isnst worth the time and effort let alone the legal pitfals.
I believe the main company concern is a disgruntled employee leaving the company with data burned on CD's any other media. How would i quickly find which the data files where copied and when. This is one scenario...
We can obviously do a good job of compiling allot of audit data through event logs but would i be able to produce enough evidence to track copied files...
Thanks for your quick response
John
I believe the main company concern is a disgruntled employee leaving the company with data burned on CD's any other media. How would i quickly find which the data files where copied and when. This is one scenario...
We can obviously do a good job of compiling allot of audit data through event logs but would i be able to produce enough evidence to track copied files...
Thanks for your quick response
John
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Again, not every file has any value, especially to a disgruntled employee. Who cares if he takes a copy of freecell.exe, or even a .iso image of Windows XP.
First, determine what files are valuable, and enable full auditing on them in AD. Be sure to backup/archive the log files. There would be plenty of evidence of date/time files are accessed by user, but no proof that any of them were copied to other media, or if they used someone else's login. If systems are locked down as much as possible for everyday users, only those with admin priveleges could do much damage anyway, and there is only so much you can do to protect yourself from a determined (disgruntled) system admin.
Keep them all happy and you won't have any disgruntled employees, right? <8-}
Did <disgruntled employee "DE"> copy file xyz.doc on 2/3/04? Was this copied file then burned to CD? On the same day?
We can show that userX 'accessed' file xyz.doc on 2/3/04 from the audit logs.
Can we prove that userX is actually <DE>? Not unless we use some form of biometrics for access (fingerprint reader, etc) to the machine.
Can we prove that just because the file was accessed (not changed), that it was copied to another location? Not unless we audit the file writes to every known disk location. If they stick in a USB jumpdrive, we're not auditing that.
We can use a network "recorder" to record every packet going across the network. This would prove that a file was copied from server A to PC X, but not by whom. If you have a moderate size network, this daily traffic record could be over 75-100Gb. Do you have the storage capacity to archive this much data on a daily basis?
Among other things, we can monitor Internet use and get a record of who's shopping job search sites to have an idea of who to keep an eye on.
If it's just because "The <paranoid> Boss" wants it, just be sure to explain the costs and complexities of doing so and ask for lots of money to make it happen. "Sure, we can do it, but it'll cost ya - big $$."
Your protection mechanisms and forensic toolset must be directly proportional to the value of the data that is accessible. If data files are that valuable, then the employee must be in some position of trust and should sign things like non-disclosure agreements that would subject them to stiff penalties if they did take proprietary files off your property, and you can spend as much as you need to protect them. Bottom line - it's all relative.
First, determine what files are valuable, and enable full auditing on them in AD. Be sure to backup/archive the log files. There would be plenty of evidence of date/time files are accessed by user, but no proof that any of them were copied to other media, or if they used someone else's login. If systems are locked down as much as possible for everyday users, only those with admin priveleges could do much damage anyway, and there is only so much you can do to protect yourself from a determined (disgruntled) system admin.
Keep them all happy and you won't have any disgruntled employees, right? <8-}
Did <disgruntled employee "DE"> copy file xyz.doc on 2/3/04? Was this copied file then burned to CD? On the same day?
We can show that userX 'accessed' file xyz.doc on 2/3/04 from the audit logs.
Can we prove that userX is actually <DE>? Not unless we use some form of biometrics for access (fingerprint reader, etc) to the machine.
Can we prove that just because the file was accessed (not changed), that it was copied to another location? Not unless we audit the file writes to every known disk location. If they stick in a USB jumpdrive, we're not auditing that.
We can use a network "recorder" to record every packet going across the network. This would prove that a file was copied from server A to PC X, but not by whom. If you have a moderate size network, this daily traffic record could be over 75-100Gb. Do you have the storage capacity to archive this much data on a daily basis?
Among other things, we can monitor Internet use and get a record of who's shopping job search sites to have an idea of who to keep an eye on.
If it's just because "The <paranoid> Boss" wants it, just be sure to explain the costs and complexities of doing so and ask for lots of money to make it happen. "Sure, we can do it, but it'll cost ya - big $$."
Your protection mechanisms and forensic toolset must be directly proportional to the value of the data that is accessible. If data files are that valuable, then the employee must be in some position of trust and should sign things like non-disclosure agreements that would subject them to stiff penalties if they did take proprietary files off your property, and you can spend as much as you need to protect them. Bottom line - it's all relative.
SunBow..
>For a 'monitor' such as #4, just say no to webcam. <sorry>
Ditto! Notice I didn't even list that as an option...
That's not to say that there are no hidden surveillance cameras in the facilities...
That's not to say that there are no searches of personal belongings by guards at the door of every employee coming and going...
>For a 'monitor' such as #4, just say no to webcam. <sorry>
Ditto! Notice I didn't even list that as an option...
That's not to say that there are no hidden surveillance cameras in the facilities...
That's not to say that there are no searches of personal belongings by guards at the door of every employee coming and going...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Gentlemen,
As usual you have all given me a wealth of information on this topic and i thank you all..
This security audit is definetly driven by the business in its efforts to stop employees from leaving with company documents which are valuable to competitors. Ive advised them in past of this possibility and the emmidiate need to place better security policies in place but as usual it only gets priority when it bites them in the ASS..
My report will include the need for a strict detailed security policy which must be sighned by all employees and inforced by management. I will also be including a detail techninal report on how IT can help track users actions.
richrumble:
Tried the NTOP product and im going to deploy it on our critical data servers.. Do you have the SNORT rule which triggers file copy or can you point me the correct direction. Ive played with SNORT but never wrote any specific rules but im sure theres one already out there..
Since everyone has basically answered and provided me with great info on this topic ill split the points amongst everyone as best as i can..
Cheers
John
As usual you have all given me a wealth of information on this topic and i thank you all..
This security audit is definetly driven by the business in its efforts to stop employees from leaving with company documents which are valuable to competitors. Ive advised them in past of this possibility and the emmidiate need to place better security policies in place but as usual it only gets priority when it bites them in the ASS..
My report will include the need for a strict detailed security policy which must be sighned by all employees and inforced by management. I will also be including a detail techninal report on how IT can help track users actions.
richrumble:
Tried the NTOP product and im going to deploy it on our critical data servers.. Do you have the SNORT rule which triggers file copy or can you point me the correct direction. Ive played with SNORT but never wrote any specific rules but im sure theres one already out there..
Since everyone has basically answered and provided me with great info on this topic ill split the points amongst everyone as best as i can..
Cheers
John
The snort rule wouldn't be too hard to write... of the top of my head, it'd look something like this:
alert tcp any any <> $HOME_NET 139 (msg:"File Copy In Progress?"; flow:to_server,established
in the content section, you could either specify the document's name, or the folder's name. However that rule is too generic, and would trip when ever that file or folder were accessed SMB. The rule could be refined a bit more... but SMB is sometimes more difficult to write a "copy" rule for since there is no clear-cut command like with tftp or ftp "get" or "put".
-rich
alert tcp any any <> $HOME_NET 139 (msg:"File Copy In Progress?"; flow:to_server,established
in the content section, you could either specify the document's name, or the folder's name. However that rule is too generic, and would trip when ever that file or folder were accessed SMB. The rule could be refined a bit more... but SMB is sometimes more difficult to write a "copy" rule for since there is no clear-cut command like with tftp or ftp "get" or "put".
-rich
a keylogger will give you far more information than you would ever want to try to wade through. You will also open yourself up to all sorts of legal ramifications. Yeh, yeh, I know... it's your company, the employees have signed every piece of paper in the world and you have a pack of 10,000 lawyers that have told you it is ok. It just isn't worth it.
When we converted from NetWare to NT years ago, we did our best to determine who was using what by whatever means we had. If we couldn't find anybody to claim it, we didn't copy it over. When somebody screamed, we fixed it. You'd be surprised how little screaming there was. We kept an old NetWare server running in the corner with a tape backup that we could use to restore file if we needed to but after about a year, we sent out a message that if you didn't have it now you never would. we came out of it alive.