We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

Catching peeping toms

Medium Priority
672 Views
Last Modified: 2013-11-29
Involved in maintaining internal security, what are my options if we want to make sure that some 'high value' desktops are adequately protected from all 'peeping toms' within our organisation, even if they include our internal IT members having local admin rights on those desktops.

The desktops belong to senior management and I would like to keep them secure from all unwanted snoopers.

I cannot detach them from the windows domain, so domain admins remain within the trusted zone. I was looking for some utility that logs all incoming IP requests for terminal connection (not only mstsc)  and the time spent by these sniffers ? Something that would enable me to log all remote activities being performed on these specific systems and available for analysis later, would be very helpful.
Comment
Watch Question

Depending on what network gear you have in your underlying LAN, you can consider implementing a separate VLAN for your execs and use Acces-lists to filter traffic allowed INTO that VLAN ( which really should be nothing - except for any remote access needed by authorized hosts )
the access-lists give you flexibility of being pretty secure and you can easily audit traffic being filtered by these acls

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Commented:
Also make sure these workstations are properly locked down.  As far as methodology for this goes, work from the premise that everything is going to be locked/blocked/inaccessible and "loosen the screws" until everything the user needs on their workstation works.  Build a solid wall and then knock holes in it to add the doors and windows instead of vice-versa.  Use things such as Group Policy, software restrictions, security software, patches, and access control if you're in a Windows environment to lock things down at the computer level.

Also if in a Windows environment make sure to make these users a member of a "Senior Management" AD group and apply permissions to sensitive files and folders using that group to lock things at the user level.

When it comes to security, remember two things:

1)  Secure in Layers.  Do not depend on one comprehensive solution to do the job.  Apply security at multiple layers on multiple points, both physically and logically.  You have Hardware and Software.  Computers and Users.  Go from Endpoint A to Endpoint B on how a user needs to get to a sensitive resource, and think about what you can add/remove/configure on all the points in between.

2)  C.I.A.  When applying security on a resource, ensure all three points of the C.I.A. method are applied and working:

Confidentiality.
Integrity.
Accessibility.

Author

Commented:
Thanks guys for the insights!!

While I put this design in place, is there someway I can solely monitor / record attempts by the guys attempting to have a look on the information available on these PCs ?
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
You can secure and monitor a windows PC without needing to place on a separate subnet, but Access Control Lists are a must. You have to trust your IT staff to a certain point, if you can't, you need a new staff. You can monitor using windows event log's, by turning up from the defaults to more verbose settings. http://www.gfi.com/eventsmanager The GFI agents are trustworthy, and can be setup to prevent tampering.
The easy way to secure the PC is to allow only certain users to access the RemoteDesktop group, by default anyone in the administrators group or the local admin, is allowed to RDP into a PC. You can also disallow interactive logon for users that have no reason the access those machiens: http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.group_policy&tid=8915889a-f1cb-4c93-9ad0-b4606da72902&cat=&lang=&cr=&sloc=&p=1
Or move users to the Guest group...
-rich

Author

Commented:
Richrjumble, I need a bit of clarification on your statement that we can secure and monitor a windows PC without needing to place them on a separate subnet, but Access Control Lists are a must..". I was wondering isn't the only way to do this is to put these PCs that need to be protected on a separate IP/Port subnet on my core /edge switches, create a VLAN ip and bind various access lists to it for the traffic flowing in & out of this subnet?

Is there an easier method to protect using Access control lists?
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006

Commented:
The windows firewall is capable of doing that, but you can also restrict on user account as opposed to IP/Subnet address. Doing username restrictions combines authentication and authorization. You could add more authorization by restricting subnets/pc's if you wish. You can prevent certain users/groups from mounting the C$ or print shares with account permissions rather than IP address. ACL's are typically associated with firewall/router rules...I should of said permissions instead :)

Segregation of traffic is a great best practice, keeping user subnets from reaching production subnets and the reverse, keep prod from accessing user. Separate subnets and access lists are good, but if someone you don't want to access xyz, comes in from a trusted subnet somehow, if your don't deny their account or group they are in, they can LIKELY still access the host you want to keep them off of.
-rich
Rich RumbleSecurity Samurai
CERTIFIED EXPERT
Top Expert 2006
Commented:
I think permissions lend themselves to a faster and easier solution, nothing is perfect, but denying accounts is easier to do than to setup seperate subnets, firewall rules, static routes etc... Monitoring is also essential. GFI has a great product, and there are others, Snare is an opensource tool that is useful.
-rich
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.