Solved

How to monitor server-shared file copies

Posted on 2006-11-01
13
304 Views
Last Modified: 2010-05-18
I have a Windows Server 2000 which stores sensitive, valuable information, and many of my company's employees need to access the information. I need a way to monitor the number of files and bytes that each user reads/copies to their local machine (or through a VPN).  My concern is that an employee could copy the entire folder to his machine, compress it, and email it to his personal email account or copy it to a CD/USB thumb drive, etc.

I would gladly pay for a 3rd party app, but I need alarms for file, number of bytes, and bytes-per-hour with email notifications preferably. I also must have limits on each of these parameters. And it must integrate with Windows server 2000.

I've been looking for a suitable application for many months now without success, so I hope someone can help.

I will award the points to the person with the most efficient, cost-effective suggestion.

0
Comment
Question by:douglassisco
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 5

Expert Comment

by:darrenakin
ID: 17855180
This company here should have your solution, I have used there software in the past. http://www.nimsoft.com/solutions/server-monitoring/index.php
0
 
LVL 6

Expert Comment

by:LindyMoff
ID: 17857429
Interesting product, though I don't see if it really monitors activity on the systems.  It's worth calling Nimsoft up though.

It's kind of too bad you can't just put everything on a web server, since downloads are much easier to track then.  Is that an option for you?

From a network standpoint, it is possible you could tune a snort rule that logs the filenames that people request from your server.  I'd have to give that some more thought.
0
 

Author Comment

by:douglassisco
ID: 17857633
At first glance I didn't see anything that tracks user file access. I'll have to look at this more closely.

No, we can't put everything on a web server (though it would be nice). We have users accessing spreadsheets, Word docs, text files, etc. and just want an app to monitor and possibly limit the number of files, bytes, and files per hour.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17858504
I know of no way to do this other than software like Spector pro, keylogger, event tracker... must be installed on all users pc's that you wish to get this info from, maybe B02k can do most of this I'm not sure: http://www.spectorsoft.com/  http://www.bo2k.com/featurelist.html

Security is really about trade offs, and if you wish to secure the files and folders, you will likely have to change the way they are accessed. You also have to resign yourself to the fact that if someone wants this information, they can get it, and maybe not get caught. While the method of the theft might not be efficient, it may be undetectable... copying pieces of each file over a long period, taking screen shots of the data and email the images... There is a certain point where you have to stop, you can't possibly prevent each and every vector when you don't have or might not have control over the PC that is accessing the data. What if someone brought in a laptop, accessed the files/data with someone else's password, and copied the files to that... To mitigate in any one of these cases, you need to control where the data can be accessed from. And even then it's still possible to steal.
I think your on the right track however, monitoring is a great deterrent. I'd suggest turning up the event logging settings on users and servers pc's, and utilizing tools like Snare and GFI's SELM to alert and or keep track of certain events and certain accessed folders. These tool will help you to parse the data easily without have to look through or search through screens and screens of logs. There are tools like Ntop that can monitor BW usage but not for particular files, you could traffic shape connections from this ip to that ip with your routers, but if the user is on the same switch and or vlan as the servers that will not apply. http://en.wikipedia.org/wiki/Traffic_shaping  http://wiki.ntop.org/mediawiki/index.php/Ntop
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17858573
Links to snare: http://www.intersectalliance.com/projects/Snare/  and SELM: http://www.gfi.com/lanselm/
Also, if you don't have them already here are some great policies for things like Sensitive information, Acceptable use etc... : http://www.sans.org/resources/policies/
-rich
0
 

Author Comment

by:douglassisco
ID: 17858601
Thanks for your comments, Rich.  

My clients are not very computer-savvy. They have access to many folders on the server each of which contains a number of very small documents. I was hoping to find an add-on or plug-in for Windows Server that will track the number of files-per-hour. Most users only edit a few files under normal circumstances, so a large file-copy would be detectable.

I agree, they COULD steal information slowly if they knew this monitoring were in place. But I don't intend to make them aware of it. And the easiest way to steal this information would be a large file-copy operation.

-Doug
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Expert Comment

by:LindyMoff
ID: 17858652
If there's really information you don't want other people to carry out of the company, you may want to re-evaluate ACLs on those file shares.  Do too many people have read access to sensitive information?

I think Rich really hit the valid points.  Even Documentum and MS Sharepoint use web-based services to better track who accesses files.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 17858722
True, but screen captures are not detected with BW monitoring, or printing the pages out to a printer, or even a printer file, you'd be surprised that the unsavvy will do such tasks. We have audited plenty of companies/business where they (users) simply printed out the DB to the printer, and others that couldn't get a PDF (secured to not allow print) simply screen shotted it. I also think you'll get better tracking with something like SharePoint. You or your higher-ups will have to decide how far to take it, again I've been doing this a long time, and I know of no way to monitor a file copy or the contents of that copy without something like a spy program. Hopefully someone else does know. Spectorsofts app is invisible to the users and doesn't show up in control panel or on their c: (basically a root kit hiding itself from the explorer process)
If you turn up auditing, you can see what files or folders were accessed and by whom (assuming it's really them and not impersonating a co-worker) There are worse case scenarios, I've seen entire servers stolen or the backup tapes or the HD's themselves... it's all about trade off's.
Security isn't a program, it's a process.
-rich
0
 

Author Comment

by:douglassisco
ID: 17862468
Thanks for your comments, Rich and Lindy.

I don't want to install client-side software such as Spectorsoft. I've used this app and it's really neat but I don't want to purchase, install, configure, and maintain forty copies.

I'm not familiar with auditing, but if this feature can tell me what files are accessed and by whom then there should be a utility to monitor and report this information automatically.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17863481
There is a header that tells what it is, I've never looked that closely or changed the defaults so I'm not sure what to look for... but by default, XP SP1 and greater is AES, using anything other than AES your stepping backward in encryption strength
http://support.microsoft.com/kb/329741
http://technet2.microsoft.com/WindowsServer/en/library/997fdd99-73ec-4041-9cf4-1370739a59201033.mspx?mfr=true
DESX was used in win2k, 3DES was XP, and AES is XP SP1 and 2003's default. I've moved files between older OS's and the newer OS can read them fine, however, files created on newer OS's using AES cannot be moved to the older OS, but I haven't tried this lately... maybe you can now.
-rich

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17863485
Geez... sorry wrong window/tab... duhh
-rich
0
 

Author Comment

by:douglassisco
ID: 17891429
Looks like there's no good answer here.  But just for giving me some good advice I'm going to give the points to Rich.

Thanks.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17891544
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now