Security Auditing

Posted on 2004-11-26
Medium Priority
Last Modified: 2010-05-18
Currently have a NT domain with win2k workstations and win2k servers.  We will be moving to AD shortly..

Company needs a very detailed audit track of all users activities on the pc and servers.  I have the Mail and Web tracking covered but i need more detail on users activities when it comes to files on the server and locally..  

Besides turning on all the Security Event in AD would a keylogger make more sense...

Any suggestions on best practices greatly appreciated



Question by:jmergulhao
  • 3
  • 2
  • 2
  • +3

Expert Comment

ID: 12683558

a keylogger will give you far more information than you would ever want to try to wade through. You will also open yourself up to all sorts of legal ramifications. Yeh, yeh, I know... it's your company, the employees have signed every piece of paper in the world and you have a pack of 10,000 lawyers that have told you it is ok.  It just isn't worth it.

When we converted from NetWare to NT years ago, we did our best to determine who was using what by whatever means we had. If we couldn't find anybody to claim it, we didn't copy it over. When somebody screamed, we fixed it. You'd be surprised how little screaming there was. We kept an old NetWare server running in the corner with a tape backup that we could use to restore file if we needed to but after about a year, we sent out a message that if you didn't have it now you never would. we came out of it alive.
LVL 79

Assisted Solution

lrmoore earned 600 total points
ID: 12683728
If you want best practices....
Don't even try. As tmcguiness stated, you'll get far more data than you could possibly wade through even if you hire 5 more IT people just to keep up with it.
What is driving the requirement to audit 100% of user activities?
I know of no government regulations that would require it.
HIPPA that governs healthcare industry does not
Sorbannes Oxley act does not
Top Secret miltary facilities/programs do not
Graham, Leach, Bliley act that governs financial institutions does not

Best practice:
1. Have a written policy that everyone signs. Polices are written with the idea that all employees are adults, all employees are due respect, all employees are trusted, and adults need little supervision and some leeway in how they do their jobs. Employees hate the prospect of "Big Brother" watching their every move.
2. Have periodic refresher training to review policies
3. Monitor for compliance, spot checks, random audits of servers periodically. Just a statement within the policy that the company "may" resort to the likes of keyloggers, and all activity is "subject" to monitoring will keep 99% of your users in line.
4. Have technical measures in place that you can monitor what's really important (firewall logs, AD security audits, network recorders, internet use compliance technology, etc), and spend the time and money on what really is important to protect/audit. Perhaps that really boils down to access to/from one single server + Internet use.
5. Quick and direct punishment for those caught in non-compliance

Author Comment

ID: 12683802
I agree with you on the keylogger, it just isnst worth the time and effort let alone the legal pitfals.

I believe the main company concern is a disgruntled employee leaving the company with data burned on CD's  any other media.  How would i quickly find which the data files where copied and when.  This is one scenario...

We can obviously do a good job of compiling allot of audit data through event logs but would i be able to produce enough evidence to  track copied files...

Thanks for your quick response


A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

LVL 24

Assisted Solution

SunBow earned 400 total points
ID: 12683832
> would a keylogger make more sense...

No way.  They are not really what they seem, and really, there's more to life than snooping, if you really ever found the time to eaver read it all. Also be cautious of the others, such as web tracking.  While between them all you could have a storage nightmare, you can also end up with vulnerability to discriminating against a worker or a class of workers.  Know that just because you can snoop does not mean that you should, and at the same time, know that just because you are not snooping into private affairs, does not mean that you won't be accused of it.

We had a recent asker wonder just how to convince there was no snooping to cause them to be fired.  Apparently, someone had been walking through the office and noticed something as 'other than business' on an employees screen. Led to immediate termination, without proper identification of the real tattler.  So the question you ask also extends to, how will you convince the employees that you do consider their interests in the taks you perform (and are not abusive).   Generally, eMail is considered a critical need for corporate documentation, so most have to keep it around, backed up, until long passed its normal expected life.  No need to read it all, not only would that be invasive, (illegal), but it is not really doable.

For auditing of business information access, the company's programmers should to that tracking, as they are already handling (or should be) the legitimizing of access to special programs and files.  There is also the no-no of letting the Adminstrator having audit function. The two should be separated.  Who watching? Can admin have power over content of log? No, not for an audit log. Admin only enables it, as far as authority.

I agree with above comments, especially fond of #5.  I get dumbfounded by stories that same person keeps downloading and running some virus or worm. Don't people learn? Behave? If not, there's probably a different position to which they are better suited, help them find their place.  For a 'monitor' such as #4, just say no to webcam. <sorry>

I think the clearest path for you is also:

lrmoore > What is driving the requirement to audit

Maybe there is way to solve the request to appease the driving force, rather than some unspecified auditting.
LVL 79

Expert Comment

ID: 12683875
Again, not every file has any value, especially to a disgruntled employee. Who cares if he takes a copy of freecell.exe, or even a .iso image of Windows XP.
First, determine what files are valuable, and enable full auditing on them in AD. Be sure to backup/archive the log files. There would be plenty of evidence of date/time files are accessed by user, but no proof that any of them were copied to other media, or if they used someone else's login. If systems are locked down as much as possible for everyday users, only those with admin priveleges could do much damage anyway, and there is only so much you can do to protect yourself from a determined (disgruntled) system admin.
Keep them all happy and you won't have any disgruntled employees, right?  <8-}

Did <disgruntled employee "DE"> copy file xyz.doc on 2/3/04? Was this copied file then burned to CD? On the same day?
We can show that userX 'accessed' file xyz.doc on 2/3/04 from the audit logs.
Can we prove that userX is actually <DE>? Not unless we use some form of biometrics for access (fingerprint reader, etc) to the machine.
Can we prove that just because the file was accessed (not changed), that it was copied to another location? Not unless we audit the file writes to every known disk location. If they stick in a USB jumpdrive, we're not auditing that.
We can use a network "recorder" to record every packet going across the network. This would prove that a file was copied from server A to PC X, but not by whom. If you have a moderate size network, this daily traffic record could be over 75-100Gb. Do you have the storage capacity to archive this much data on a daily basis?
Among other things, we can monitor Internet use and get a record of who's shopping job search sites to have an idea of who to keep an eye on.

If it's just because "The <paranoid> Boss" wants it, just be sure to explain the costs and complexities of doing so and ask for lots of money to make it happen. "Sure, we can do it, but it'll cost ya - big $$."
Your protection mechanisms and forensic toolset must be directly proportional to the value of the data that is accessible. If data files are that valuable, then the employee must be in some position of trust and should sign things like non-disclosure agreements that would subject them to stiff penalties if they did take proprietary files off your property, and you can spend as much as you need to protect them. Bottom line - it's all relative.

LVL 79

Expert Comment

ID: 12683905
>For a 'monitor' such as #4, just say no to webcam. <sorry>
Ditto! Notice I didn't even list that as an option...
That's not to say that there are no hidden surveillance cameras in the facilities...
That's not to say that there are no searches of personal belongings by guards at the door of every employee coming and going...


Assisted Solution

tmcguiness earned 200 total points
ID: 12685720
You're a lot more likely to have disgruntled employees by making them feel like they are untrustworthy. I personally wouldn't be giving my boss a whole lot of effort on this but explaining why he's off his rocker.

But if you really feel the need to forge ahead. You can look into document management programs like Hummingbird that are like libraries where documents are checked out. I can't tell you the full capabilities but it would give you an audit path of who had the file, when, and if they changed it.

Personally, I feel like managers have started leaning on technology because it's easier for them than being a good manager. I think that you should suggest some other strategies to your boss to safeguard your most important information, granted it's not foolproof but none of this is. But rotation of responsibilities is one thing, familiarity gets people feeling comfortable enough to do things like copying files and taking them. If somebody is only doing a given job for three months or a year at a time, they may not get comfortable enough to take the information.  Another idea is to Comparmentalize the data so it would be difficult for somebody to steal the data without colluding with a co-worker. This might be done by people working in close knit teams, sharing work areas. These things coupled with some technical measures might go a bit further.

Of course you could close your network and strip-search your employees as they come and go each day!
LVL 18

Assisted Solution

chicagoan earned 200 total points
ID: 12685953
Setting up your network so that information is available only to those who need it is the first step.
A zero-based access policy is one in which nobody has access to anything unless explicity granted.
At that point auditing files is a moot point, though it does give you logs to review your access control lists.
If you want to contain the information you'll have to disable the local storage devices (and the USB ports), enable BIOS passwords, use case locks, and contain traffic outside the network to preclude FTP, email or other network transfers.
You'll also have to enforce password protected screen savers and other measures to protect consoles.
LVL 38

Accepted Solution

Rich Rumble earned 600 total points
ID: 12686717
KISS- Keep It Simple Stupid. Give Ntop a look. openxtra has a windows port that is free, or ntop.org has the linux version for free. In addition to NTOP, setup windows to audit file access. Ntop and the windows log's were enough for us to prosecute a few former employess that printed off parts of our data-base as well as copying data to cd's. That would not of been admisable if they had not signed off on our audit policies at the begining of their employment.

While NTOP won't tell you detail like a specfic file being accessed or copied, it'd be easy to write a Snort rule to do so.
Ntop will be able to show a corrispondance between event-log's and user/server comunnication time wise.
ntop is a full featured tool, with hundreds of features, here is a summary of what ntop can do for you:

    * Display traffic statistics
    * Breakdown the network protocols running on your network
    * Store traffic statistics in RRDTool format for historical analysis and trending
    * Assist with identifying your users
    * Identify host operating systems without disturbing your network
    * Breakdown IP traffic by conversation
    * Breakdown IP traffic statistics by port
    * Breakdown IP traffic by subnet
    * Act as a NetFlow/sFlow probe and collector (as supported by Cisco, Juniper and Foundry devices

http://www.openxtra.co.uk/products/ntop-xtra.htm (ntop)
http://www.sans.org/resources/policies/ (SANS policy page)


Author Comment

ID: 12688476

As usual you have all given me a wealth of information on this topic and i thank you all..
This security audit is definetly driven by the business in its efforts to stop employees from leaving with company documents which are valuable to competitors.  Ive advised them in past of this possibility and the emmidiate need to place better security policies in place but as usual it only gets priority when it bites them in the ASS..

My report will include the need for a strict detailed security policy which must be sighned by all employees and inforced by management. I will also be including a detail techninal report on how IT can help track users actions.

Tried the NTOP product and im going to deploy it on our critical data servers.. Do you have the SNORT rule which triggers file copy or can you point me the correct direction.  Ive played with SNORT but never wrote any specific rules but im sure theres one already out there..

Since everyone has basically answered and provided me with great info on this topic ill split the points amongst everyone as best as i can..



LVL 38

Expert Comment

by:Rich Rumble
ID: 12690942
The snort rule wouldn't be too hard to write... of the top of my head, it'd look something like this:

alert tcp any any <> $HOME_NET 139 (msg:"File Copy In Progress?"; flow:to_server,established; content:"|thisdocumnet.doc|"; sid:00000; rev:1;)

in the content section, you could either specify the document's name, or the folder's name. However that rule is too generic, and would trip when ever that file or folder were accessed SMB. The rule could be refined a bit more... but SMB is sometimes more difficult to write a "copy" rule for since there is no clear-cut command like with tftp or ftp "get" or "put".


Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question