Solved

How to monitor server-shared file copies

Posted on 2006-11-01
13
306 Views
Last Modified: 2010-05-18
I have a Windows Server 2000 which stores sensitive, valuable information, and many of my company's employees need to access the information. I need a way to monitor the number of files and bytes that each user reads/copies to their local machine (or through a VPN).  My concern is that an employee could copy the entire folder to his machine, compress it, and email it to his personal email account or copy it to a CD/USB thumb drive, etc.

I would gladly pay for a 3rd party app, but I need alarms for file, number of bytes, and bytes-per-hour with email notifications preferably. I also must have limits on each of these parameters. And it must integrate with Windows server 2000.

I've been looking for a suitable application for many months now without success, so I hope someone can help.

I will award the points to the person with the most efficient, cost-effective suggestion.

0
Comment
Question by:douglassisco
  • 6
  • 4
  • 2
  • +1
13 Comments
 
LVL 5

Expert Comment

by:darrenakin
ID: 17855180
This company here should have your solution, I have used there software in the past. http://www.nimsoft.com/solutions/server-monitoring/index.php 
0
 
LVL 6

Expert Comment

by:LindyMoff
ID: 17857429
Interesting product, though I don't see if it really monitors activity on the systems.  It's worth calling Nimsoft up though.

It's kind of too bad you can't just put everything on a web server, since downloads are much easier to track then.  Is that an option for you?

From a network standpoint, it is possible you could tune a snort rule that logs the filenames that people request from your server.  I'd have to give that some more thought.
0
 

Author Comment

by:douglassisco
ID: 17857633
At first glance I didn't see anything that tracks user file access. I'll have to look at this more closely.

No, we can't put everything on a web server (though it would be nice). We have users accessing spreadsheets, Word docs, text files, etc. and just want an app to monitor and possibly limit the number of files, bytes, and files per hour.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17858504
I know of no way to do this other than software like Spector pro, keylogger, event tracker... must be installed on all users pc's that you wish to get this info from, maybe B02k can do most of this I'm not sure: http://www.spectorsoft.com/  http://www.bo2k.com/featurelist.html

Security is really about trade offs, and if you wish to secure the files and folders, you will likely have to change the way they are accessed. You also have to resign yourself to the fact that if someone wants this information, they can get it, and maybe not get caught. While the method of the theft might not be efficient, it may be undetectable... copying pieces of each file over a long period, taking screen shots of the data and email the images... There is a certain point where you have to stop, you can't possibly prevent each and every vector when you don't have or might not have control over the PC that is accessing the data. What if someone brought in a laptop, accessed the files/data with someone else's password, and copied the files to that... To mitigate in any one of these cases, you need to control where the data can be accessed from. And even then it's still possible to steal.
I think your on the right track however, monitoring is a great deterrent. I'd suggest turning up the event logging settings on users and servers pc's, and utilizing tools like Snare and GFI's SELM to alert and or keep track of certain events and certain accessed folders. These tool will help you to parse the data easily without have to look through or search through screens and screens of logs. There are tools like Ntop that can monitor BW usage but not for particular files, you could traffic shape connections from this ip to that ip with your routers, but if the user is on the same switch and or vlan as the servers that will not apply. http://en.wikipedia.org/wiki/Traffic_shaping  http://wiki.ntop.org/mediawiki/index.php/Ntop
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17858573
Links to snare: http://www.intersectalliance.com/projects/Snare/  and SELM: http://www.gfi.com/lanselm/ 
Also, if you don't have them already here are some great policies for things like Sensitive information, Acceptable use etc... : http://www.sans.org/resources/policies/
-rich
0
 

Author Comment

by:douglassisco
ID: 17858601
Thanks for your comments, Rich.  

My clients are not very computer-savvy. They have access to many folders on the server each of which contains a number of very small documents. I was hoping to find an add-on or plug-in for Windows Server that will track the number of files-per-hour. Most users only edit a few files under normal circumstances, so a large file-copy would be detectable.

I agree, they COULD steal information slowly if they knew this monitoring were in place. But I don't intend to make them aware of it. And the easiest way to steal this information would be a large file-copy operation.

-Doug
0
 
LVL 6

Expert Comment

by:LindyMoff
ID: 17858652
If there's really information you don't want other people to carry out of the company, you may want to re-evaluate ACLs on those file shares.  Do too many people have read access to sensitive information?

I think Rich really hit the valid points.  Even Documentum and MS Sharepoint use web-based services to better track who accesses files.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 17858722
True, but screen captures are not detected with BW monitoring, or printing the pages out to a printer, or even a printer file, you'd be surprised that the unsavvy will do such tasks. We have audited plenty of companies/business where they (users) simply printed out the DB to the printer, and others that couldn't get a PDF (secured to not allow print) simply screen shotted it. I also think you'll get better tracking with something like SharePoint. You or your higher-ups will have to decide how far to take it, again I've been doing this a long time, and I know of no way to monitor a file copy or the contents of that copy without something like a spy program. Hopefully someone else does know. Spectorsofts app is invisible to the users and doesn't show up in control panel or on their c: (basically a root kit hiding itself from the explorer process)
If you turn up auditing, you can see what files or folders were accessed and by whom (assuming it's really them and not impersonating a co-worker) There are worse case scenarios, I've seen entire servers stolen or the backup tapes or the HD's themselves... it's all about trade off's.
Security isn't a program, it's a process.
-rich
0
 

Author Comment

by:douglassisco
ID: 17862468
Thanks for your comments, Rich and Lindy.

I don't want to install client-side software such as Spectorsoft. I've used this app and it's really neat but I don't want to purchase, install, configure, and maintain forty copies.

I'm not familiar with auditing, but if this feature can tell me what files are accessed and by whom then there should be a utility to monitor and report this information automatically.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17863481
There is a header that tells what it is, I've never looked that closely or changed the defaults so I'm not sure what to look for... but by default, XP SP1 and greater is AES, using anything other than AES your stepping backward in encryption strength
http://support.microsoft.com/kb/329741
http://technet2.microsoft.com/WindowsServer/en/library/997fdd99-73ec-4041-9cf4-1370739a59201033.mspx?mfr=true
DESX was used in win2k, 3DES was XP, and AES is XP SP1 and 2003's default. I've moved files between older OS's and the newer OS can read them fine, however, files created on newer OS's using AES cannot be moved to the older OS, but I haven't tried this lately... maybe you can now.
-rich

0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17863485
Geez... sorry wrong window/tab... duhh
-rich
0
 

Author Comment

by:douglassisco
ID: 17891429
Looks like there's no good answer here.  But just for giving me some good advice I'm going to give the points to Rich.

Thanks.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17891544
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question