Security Auditing

Currently have a NT domain with win2k workstations and win2k servers.  We will be moving to AD shortly..

Company needs a very detailed audit track of all users activities on the pc and servers.  I have the Mail and Web tracking covered but i need more detail on users activities when it comes to files on the server and locally..  

Besides turning on all the Security Event in AD would a keylogger make more sense...

Any suggestions on best practices greatly appreciated



Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


a keylogger will give you far more information than you would ever want to try to wade through. You will also open yourself up to all sorts of legal ramifications. Yeh, yeh, I know... it's your company, the employees have signed every piece of paper in the world and you have a pack of 10,000 lawyers that have told you it is ok.  It just isn't worth it.

When we converted from NetWare to NT years ago, we did our best to determine who was using what by whatever means we had. If we couldn't find anybody to claim it, we didn't copy it over. When somebody screamed, we fixed it. You'd be surprised how little screaming there was. We kept an old NetWare server running in the corner with a tape backup that we could use to restore file if we needed to but after about a year, we sent out a message that if you didn't have it now you never would. we came out of it alive.
If you want best practices....
Don't even try. As tmcguiness stated, you'll get far more data than you could possibly wade through even if you hire 5 more IT people just to keep up with it.
What is driving the requirement to audit 100% of user activities?
I know of no government regulations that would require it.
HIPPA that governs healthcare industry does not
Sorbannes Oxley act does not
Top Secret miltary facilities/programs do not
Graham, Leach, Bliley act that governs financial institutions does not

Best practice:
1. Have a written policy that everyone signs. Polices are written with the idea that all employees are adults, all employees are due respect, all employees are trusted, and adults need little supervision and some leeway in how they do their jobs. Employees hate the prospect of "Big Brother" watching their every move.
2. Have periodic refresher training to review policies
3. Monitor for compliance, spot checks, random audits of servers periodically. Just a statement within the policy that the company "may" resort to the likes of keyloggers, and all activity is "subject" to monitoring will keep 99% of your users in line.
4. Have technical measures in place that you can monitor what's really important (firewall logs, AD security audits, network recorders, internet use compliance technology, etc), and spend the time and money on what really is important to protect/audit. Perhaps that really boils down to access to/from one single server + Internet use.
5. Quick and direct punishment for those caught in non-compliance
jmergulhaoAuthor Commented:
I agree with you on the keylogger, it just isnst worth the time and effort let alone the legal pitfals.

I believe the main company concern is a disgruntled employee leaving the company with data burned on CD's  any other media.  How would i quickly find which the data files where copied and when.  This is one scenario...

We can obviously do a good job of compiling allot of audit data through event logs but would i be able to produce enough evidence to  track copied files...

Thanks for your quick response


Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

> would a keylogger make more sense...

No way.  They are not really what they seem, and really, there's more to life than snooping, if you really ever found the time to eaver read it all. Also be cautious of the others, such as web tracking.  While between them all you could have a storage nightmare, you can also end up with vulnerability to discriminating against a worker or a class of workers.  Know that just because you can snoop does not mean that you should, and at the same time, know that just because you are not snooping into private affairs, does not mean that you won't be accused of it.

We had a recent asker wonder just how to convince there was no snooping to cause them to be fired.  Apparently, someone had been walking through the office and noticed something as 'other than business' on an employees screen. Led to immediate termination, without proper identification of the real tattler.  So the question you ask also extends to, how will you convince the employees that you do consider their interests in the taks you perform (and are not abusive).   Generally, eMail is considered a critical need for corporate documentation, so most have to keep it around, backed up, until long passed its normal expected life.  No need to read it all, not only would that be invasive, (illegal), but it is not really doable.

For auditing of business information access, the company's programmers should to that tracking, as they are already handling (or should be) the legitimizing of access to special programs and files.  There is also the no-no of letting the Adminstrator having audit function. The two should be separated.  Who watching? Can admin have power over content of log? No, not for an audit log. Admin only enables it, as far as authority.

I agree with above comments, especially fond of #5.  I get dumbfounded by stories that same person keeps downloading and running some virus or worm. Don't people learn? Behave? If not, there's probably a different position to which they are better suited, help them find their place.  For a 'monitor' such as #4, just say no to webcam. <sorry>

I think the clearest path for you is also:

lrmoore > What is driving the requirement to audit

Maybe there is way to solve the request to appease the driving force, rather than some unspecified auditting.
Again, not every file has any value, especially to a disgruntled employee. Who cares if he takes a copy of freecell.exe, or even a .iso image of Windows XP.
First, determine what files are valuable, and enable full auditing on them in AD. Be sure to backup/archive the log files. There would be plenty of evidence of date/time files are accessed by user, but no proof that any of them were copied to other media, or if they used someone else's login. If systems are locked down as much as possible for everyday users, only those with admin priveleges could do much damage anyway, and there is only so much you can do to protect yourself from a determined (disgruntled) system admin.
Keep them all happy and you won't have any disgruntled employees, right?  <8-}

Did <disgruntled employee "DE"> copy file xyz.doc on 2/3/04? Was this copied file then burned to CD? On the same day?
We can show that userX 'accessed' file xyz.doc on 2/3/04 from the audit logs.
Can we prove that userX is actually <DE>? Not unless we use some form of biometrics for access (fingerprint reader, etc) to the machine.
Can we prove that just because the file was accessed (not changed), that it was copied to another location? Not unless we audit the file writes to every known disk location. If they stick in a USB jumpdrive, we're not auditing that.
We can use a network "recorder" to record every packet going across the network. This would prove that a file was copied from server A to PC X, but not by whom. If you have a moderate size network, this daily traffic record could be over 75-100Gb. Do you have the storage capacity to archive this much data on a daily basis?
Among other things, we can monitor Internet use and get a record of who's shopping job search sites to have an idea of who to keep an eye on.

If it's just because "The <paranoid> Boss" wants it, just be sure to explain the costs and complexities of doing so and ask for lots of money to make it happen. "Sure, we can do it, but it'll cost ya - big $$."
Your protection mechanisms and forensic toolset must be directly proportional to the value of the data that is accessible. If data files are that valuable, then the employee must be in some position of trust and should sign things like non-disclosure agreements that would subject them to stiff penalties if they did take proprietary files off your property, and you can spend as much as you need to protect them. Bottom line - it's all relative.

>For a 'monitor' such as #4, just say no to webcam. <sorry>
Ditto! Notice I didn't even list that as an option...
That's not to say that there are no hidden surveillance cameras in the facilities...
That's not to say that there are no searches of personal belongings by guards at the door of every employee coming and going...

You're a lot more likely to have disgruntled employees by making them feel like they are untrustworthy. I personally wouldn't be giving my boss a whole lot of effort on this but explaining why he's off his rocker.

But if you really feel the need to forge ahead. You can look into document management programs like Hummingbird that are like libraries where documents are checked out. I can't tell you the full capabilities but it would give you an audit path of who had the file, when, and if they changed it.

Personally, I feel like managers have started leaning on technology because it's easier for them than being a good manager. I think that you should suggest some other strategies to your boss to safeguard your most important information, granted it's not foolproof but none of this is. But rotation of responsibilities is one thing, familiarity gets people feeling comfortable enough to do things like copying files and taking them. If somebody is only doing a given job for three months or a year at a time, they may not get comfortable enough to take the information.  Another idea is to Comparmentalize the data so it would be difficult for somebody to steal the data without colluding with a co-worker. This might be done by people working in close knit teams, sharing work areas. These things coupled with some technical measures might go a bit further.

Of course you could close your network and strip-search your employees as they come and go each day!
Setting up your network so that information is available only to those who need it is the first step.
A zero-based access policy is one in which nobody has access to anything unless explicity granted.
At that point auditing files is a moot point, though it does give you logs to review your access control lists.
If you want to contain the information you'll have to disable the local storage devices (and the USB ports), enable BIOS passwords, use case locks, and contain traffic outside the network to preclude FTP, email or other network transfers.
You'll also have to enforce password protected screen savers and other measures to protect consoles.
Rich RumbleSecurity SamuraiCommented:
KISS- Keep It Simple Stupid. Give Ntop a look. openxtra has a windows port that is free, or has the linux version for free. In addition to NTOP, setup windows to audit file access. Ntop and the windows log's were enough for us to prosecute a few former employess that printed off parts of our data-base as well as copying data to cd's. That would not of been admisable if they had not signed off on our audit policies at the begining of their employment.

While NTOP won't tell you detail like a specfic file being accessed or copied, it'd be easy to write a Snort rule to do so.
Ntop will be able to show a corrispondance between event-log's and user/server comunnication time wise.
ntop is a full featured tool, with hundreds of features, here is a summary of what ntop can do for you:

    * Display traffic statistics
    * Breakdown the network protocols running on your network
    * Store traffic statistics in RRDTool format for historical analysis and trending
    * Assist with identifying your users
    * Identify host operating systems without disturbing your network
    * Breakdown IP traffic by conversation
    * Breakdown IP traffic statistics by port
    * Breakdown IP traffic by subnet
    * Act as a NetFlow/sFlow probe and collector (as supported by Cisco, Juniper and Foundry devices (ntop) (SANS policy page)


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jmergulhaoAuthor Commented:

As usual you have all given me a wealth of information on this topic and i thank you all..
This security audit is definetly driven by the business in its efforts to stop employees from leaving with company documents which are valuable to competitors.  Ive advised them in past of this possibility and the emmidiate need to place better security policies in place but as usual it only gets priority when it bites them in the ASS..

My report will include the need for a strict detailed security policy which must be sighned by all employees and inforced by management. I will also be including a detail techninal report on how IT can help track users actions.

Tried the NTOP product and im going to deploy it on our critical data servers.. Do you have the SNORT rule which triggers file copy or can you point me the correct direction.  Ive played with SNORT but never wrote any specific rules but im sure theres one already out there..

Since everyone has basically answered and provided me with great info on this topic ill split the points amongst everyone as best as i can..



Rich RumbleSecurity SamuraiCommented:
The snort rule wouldn't be too hard to write... of the top of my head, it'd look something like this:

alert tcp any any <> $HOME_NET 139 (msg:"File Copy In Progress?"; flow:to_server,established; content:"|thisdocumnet.doc|"; sid:00000; rev:1;)

in the content section, you could either specify the document's name, or the folder's name. However that rule is too generic, and would trip when ever that file or folder were accessed SMB. The rule could be refined a bit more... but SMB is sometimes more difficult to write a "copy" rule for since there is no clear-cut command like with tftp or ftp "get" or "put".

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.