Solved

Please provide a Step by Step on how to track a user on the system

Posted on 2006-11-08
3
149 Views
Last Modified: 2010-04-18
My boss has a concern that a particular user may be copying sensitive information or abusing their access rights on the netowrk. She has asked me to find out if there is a way of tracking this user to see when they are loggin on to the server, their own PC, accessing files, copying files where they are coipying files to, editing files and deleting files.
Is this posible, if so, exactly how would I go about setting this up in such a way that would be easy to report on. Therefore, I would like to provide a report that says for example:
On Monday @ 9:11 a.m. they logged onto their machine, at 9:21 a.m. they read a file on such and such a shared folder, they then copied another file to their hard drive @ 10:15 a.m. . They then logged off at 11:00a.m.
 
0
Comment
Question by:Bartley1969
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 96

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 150 total points
ID: 17898732
You can't quite do all of that... but you can get a lot.  You need to enable auditing on her PC and the server(s) where the files are.  Then you need to select the files you want audited and enable auditing on them.  It is NOT recommended that you enable auditing on ALL files as this can cause a negative impact on system performance.

Auditing can tell you:
 1. When a user logs on or off
 2. When a file is accessed or deleted

As for otherwise protecting data and determining when and where a file is copied is not possible through any included means I've seen.  There are document management products available, but they typically cost $1000's (sorry, no recommendations on these as I've only read about them and that was a while ago).  You could implement scripts to prevent the use of USB external storage as well as disabling CD burners and floppy drives (removing them).  Then you have to worry about e-mail - this is where network security software can play a role - again, EXPENSIVE and I've only read about it.

Basically, there are solutions, but unless you're willing to spend BIG money, I don't know any for small business.
0
 
LVL 16

Assisted Solution

by:AdamRobinson
AdamRobinson earned 350 total points
ID: 17898779
Auditing, for Server 2003:

http://technet2.microsoft.com/windowsserver/en/technologies/featured/audit/default.mspx

Auditing, for XP:

http://itinfo.mit.edu/article.php?id=7324

You are talking about a very broad category of actions, and there's no simple how-to on protecting yourself from internal security threats.

If you are truly worried, and this isn't just a paranoid boss, you have a responsibility to your workplace and any potential clients to lock that employee out from the system.  Once the information is taken, it is gone -- it is no different than opening it to the whole world.  Sitting back "wondering whether it is going on," while it is happening is no different than actively encouraging it, except perhaps legally.

My real question would be: Why would the boss think this if you clearly have no evidence of its occuring since you have no current way of tracking?

Leew did leave out one simple, and inexpensive means, of figuring this out, though it may not necessarily be legal in your situation (though it likely is).  You could install a keylogger on the employee's computer, and run a low quality screen capture if you're not able to purchase software or do any of the the other things previously mentioned.  Please be aware that a computer savvy employee (especially if you grant him or her administrative rights), will likely be able to detect this, granted it doesn't seem you're all that familiar with the idea of internal security management.

Let me know if that helps, or if you have any other specific questions.
0
 
LVL 16

Accepted Solution

by:
AdamRobinson earned 350 total points
ID: 17898826
Assuming you may want to eventually apply some sort of file auditing to all users (please beware, Leew's comment on system performance is important if you go overboard), here is a link on how to do it with Group Policy:

http://technet2.microsoft.com/WindowsServer/en/library/3b5204b3-8b18-4b14-babd-a81532331af61033.mspx?mfr=true

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

731 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question