[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 320
  • Last Modified:

How to monitor server-shared file copies

I have a Windows Server 2000 which stores sensitive, valuable information, and many of my company's employees need to access the information. I need a way to monitor the number of files and bytes that each user reads/copies to their local machine (or through a VPN).  My concern is that an employee could copy the entire folder to his machine, compress it, and email it to his personal email account or copy it to a CD/USB thumb drive, etc.

I would gladly pay for a 3rd party app, but I need alarms for file, number of bytes, and bytes-per-hour with email notifications preferably. I also must have limits on each of these parameters. And it must integrate with Windows server 2000.

I've been looking for a suitable application for many months now without success, so I hope someone can help.

I will award the points to the person with the most efficient, cost-effective suggestion.

0
douglassisco
Asked:
douglassisco
  • 6
  • 4
  • 2
  • +1
1 Solution
 
darrenakinCommented:
This company here should have your solution, I have used there software in the past. http://www.nimsoft.com/solutions/server-monitoring/index.php 
0
 
LindyMoffCommented:
Interesting product, though I don't see if it really monitors activity on the systems.  It's worth calling Nimsoft up though.

It's kind of too bad you can't just put everything on a web server, since downloads are much easier to track then.  Is that an option for you?

From a network standpoint, it is possible you could tune a snort rule that logs the filenames that people request from your server.  I'd have to give that some more thought.
0
 
douglassiscoAuthor Commented:
At first glance I didn't see anything that tracks user file access. I'll have to look at this more closely.

No, we can't put everything on a web server (though it would be nice). We have users accessing spreadsheets, Word docs, text files, etc. and just want an app to monitor and possibly limit the number of files, bytes, and files per hour.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Rich RumbleSecurity SamuraiCommented:
I know of no way to do this other than software like Spector pro, keylogger, event tracker... must be installed on all users pc's that you wish to get this info from, maybe B02k can do most of this I'm not sure: http://www.spectorsoft.com/  http://www.bo2k.com/featurelist.html

Security is really about trade offs, and if you wish to secure the files and folders, you will likely have to change the way they are accessed. You also have to resign yourself to the fact that if someone wants this information, they can get it, and maybe not get caught. While the method of the theft might not be efficient, it may be undetectable... copying pieces of each file over a long period, taking screen shots of the data and email the images... There is a certain point where you have to stop, you can't possibly prevent each and every vector when you don't have or might not have control over the PC that is accessing the data. What if someone brought in a laptop, accessed the files/data with someone else's password, and copied the files to that... To mitigate in any one of these cases, you need to control where the data can be accessed from. And even then it's still possible to steal.
I think your on the right track however, monitoring is a great deterrent. I'd suggest turning up the event logging settings on users and servers pc's, and utilizing tools like Snare and GFI's SELM to alert and or keep track of certain events and certain accessed folders. These tool will help you to parse the data easily without have to look through or search through screens and screens of logs. There are tools like Ntop that can monitor BW usage but not for particular files, you could traffic shape connections from this ip to that ip with your routers, but if the user is on the same switch and or vlan as the servers that will not apply. http://en.wikipedia.org/wiki/Traffic_shaping  http://wiki.ntop.org/mediawiki/index.php/Ntop
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
Links to snare: http://www.intersectalliance.com/projects/Snare/  and SELM: http://www.gfi.com/lanselm/ 
Also, if you don't have them already here are some great policies for things like Sensitive information, Acceptable use etc... : http://www.sans.org/resources/policies/
-rich
0
 
douglassiscoAuthor Commented:
Thanks for your comments, Rich.  

My clients are not very computer-savvy. They have access to many folders on the server each of which contains a number of very small documents. I was hoping to find an add-on or plug-in for Windows Server that will track the number of files-per-hour. Most users only edit a few files under normal circumstances, so a large file-copy would be detectable.

I agree, they COULD steal information slowly if they knew this monitoring were in place. But I don't intend to make them aware of it. And the easiest way to steal this information would be a large file-copy operation.

-Doug
0
 
LindyMoffCommented:
If there's really information you don't want other people to carry out of the company, you may want to re-evaluate ACLs on those file shares.  Do too many people have read access to sensitive information?

I think Rich really hit the valid points.  Even Documentum and MS Sharepoint use web-based services to better track who accesses files.
0
 
Rich RumbleSecurity SamuraiCommented:
True, but screen captures are not detected with BW monitoring, or printing the pages out to a printer, or even a printer file, you'd be surprised that the unsavvy will do such tasks. We have audited plenty of companies/business where they (users) simply printed out the DB to the printer, and others that couldn't get a PDF (secured to not allow print) simply screen shotted it. I also think you'll get better tracking with something like SharePoint. You or your higher-ups will have to decide how far to take it, again I've been doing this a long time, and I know of no way to monitor a file copy or the contents of that copy without something like a spy program. Hopefully someone else does know. Spectorsofts app is invisible to the users and doesn't show up in control panel or on their c: (basically a root kit hiding itself from the explorer process)
If you turn up auditing, you can see what files or folders were accessed and by whom (assuming it's really them and not impersonating a co-worker) There are worse case scenarios, I've seen entire servers stolen or the backup tapes or the HD's themselves... it's all about trade off's.
Security isn't a program, it's a process.
-rich
0
 
douglassiscoAuthor Commented:
Thanks for your comments, Rich and Lindy.

I don't want to install client-side software such as Spectorsoft. I've used this app and it's really neat but I don't want to purchase, install, configure, and maintain forty copies.

I'm not familiar with auditing, but if this feature can tell me what files are accessed and by whom then there should be a utility to monitor and report this information automatically.
0
 
Rich RumbleSecurity SamuraiCommented:
There is a header that tells what it is, I've never looked that closely or changed the defaults so I'm not sure what to look for... but by default, XP SP1 and greater is AES, using anything other than AES your stepping backward in encryption strength
http://support.microsoft.com/kb/329741
http://technet2.microsoft.com/WindowsServer/en/library/997fdd99-73ec-4041-9cf4-1370739a59201033.mspx?mfr=true
DESX was used in win2k, 3DES was XP, and AES is XP SP1 and 2003's default. I've moved files between older OS's and the newer OS can read them fine, however, files created on newer OS's using AES cannot be moved to the older OS, but I haven't tried this lately... maybe you can now.
-rich

0
 
Rich RumbleSecurity SamuraiCommented:
Geez... sorry wrong window/tab... duhh
-rich
0
 
douglassiscoAuthor Commented:
Looks like there's no good answer here.  But just for giving me some good advice I'm going to give the points to Rich.

Thanks.
0
 
Rich RumbleSecurity SamuraiCommented:
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 6
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now