We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Please provide a Step by Step on how to track a user on the system

Bartley1969
Bartley1969 asked
on
Medium Priority
172 Views
Last Modified: 2010-04-18
My boss has a concern that a particular user may be copying sensitive information or abusing their access rights on the netowrk. She has asked me to find out if there is a way of tracking this user to see when they are loggin on to the server, their own PC, accessing files, copying files where they are coipying files to, editing files and deleting files.
Is this posible, if so, exactly how would I go about setting this up in such a way that would be easy to report on. Therefore, I would like to provide a report that says for example:
On Monday @ 9:11 a.m. they logged onto their machine, at 9:21 a.m. they read a file on such and such a shared folder, they then copied another file to their hard drive @ 10:15 a.m. . They then logged off at 11:00a.m.
 
Comment
Watch Question

Lee W, MVPTechnology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013
Commented:
You can't quite do all of that... but you can get a lot.  You need to enable auditing on her PC and the server(s) where the files are.  Then you need to select the files you want audited and enable auditing on them.  It is NOT recommended that you enable auditing on ALL files as this can cause a negative impact on system performance.

Auditing can tell you:
 1. When a user logs on or off
 2. When a file is accessed or deleted

As for otherwise protecting data and determining when and where a file is copied is not possible through any included means I've seen.  There are document management products available, but they typically cost $1000's (sorry, no recommendations on these as I've only read about them and that was a while ago).  You could implement scripts to prevent the use of USB external storage as well as disabling CD burners and floppy drives (removing them).  Then you have to worry about e-mail - this is where network security software can play a role - again, EXPENSIVE and I've only read about it.

Basically, there are solutions, but unless you're willing to spend BIG money, I don't know any for small business.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Auditing, for Server 2003:

http://technet2.microsoft.com/windowsserver/en/technologies/featured/audit/default.mspx

Auditing, for XP:

http://itinfo.mit.edu/article.php?id=7324

You are talking about a very broad category of actions, and there's no simple how-to on protecting yourself from internal security threats.

If you are truly worried, and this isn't just a paranoid boss, you have a responsibility to your workplace and any potential clients to lock that employee out from the system.  Once the information is taken, it is gone -- it is no different than opening it to the whole world.  Sitting back "wondering whether it is going on," while it is happening is no different than actively encouraging it, except perhaps legally.

My real question would be: Why would the boss think this if you clearly have no evidence of its occuring since you have no current way of tracking?

Leew did leave out one simple, and inexpensive means, of figuring this out, though it may not necessarily be legal in your situation (though it likely is).  You could install a keylogger on the employee's computer, and run a low quality screen capture if you're not able to purchase software or do any of the the other things previously mentioned.  Please be aware that a computer savvy employee (especially if you grant him or her administrative rights), will likely be able to detect this, granted it doesn't seem you're all that familiar with the idea of internal security management.

Let me know if that helps, or if you have any other specific questions.
Assuming you may want to eventually apply some sort of file auditing to all users (please beware, Leew's comment on system performance is important if you go overboard), here is a link on how to do it with Group Policy:

http://technet2.microsoft.com/WindowsServer/en/library/3b5204b3-8b18-4b14-babd-a81532331af61033.mspx?mfr=true

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.