Catching peeping toms

Involved in maintaining internal security, what are my options if we want to make sure that some 'high value' desktops are adequately protected from all 'peeping toms' within our organisation, even if they include our internal IT members having local admin rights on those desktops.

The desktops belong to senior management and I would like to keep them secure from all unwanted snoopers.

I cannot detach them from the windows domain, so domain admins remain within the trusted zone. I was looking for some utility that logs all incoming IP requests for terminal connection (not only mstsc)  and the time spent by these sniffers ? Something that would enable me to log all remote activities being performed on these specific systems and available for analysis later, would be very helpful.
Who is Participating?
MaerosConnect With a Mentor Commented:
Also make sure these workstations are properly locked down.  As far as methodology for this goes, work from the premise that everything is going to be locked/blocked/inaccessible and "loosen the screws" until everything the user needs on their workstation works.  Build a solid wall and then knock holes in it to add the doors and windows instead of vice-versa.  Use things such as Group Policy, software restrictions, security software, patches, and access control if you're in a Windows environment to lock things down at the computer level.

Also if in a Windows environment make sure to make these users a member of a "Senior Management" AD group and apply permissions to sensitive files and folders using that group to lock things at the user level.

When it comes to security, remember two things:

1)  Secure in Layers.  Do not depend on one comprehensive solution to do the job.  Apply security at multiple layers on multiple points, both physically and logically.  You have Hardware and Software.  Computers and Users.  Go from Endpoint A to Endpoint B on how a user needs to get to a sensitive resource, and think about what you can add/remove/configure on all the points in between.

2)  C.I.A.  When applying security on a resource, ensure all three points of the C.I.A. method are applied and working:

ciscoml320Connect With a Mentor Commented:
Depending on what network gear you have in your underlying LAN, you can consider implementing a separate VLAN for your execs and use Acces-lists to filter traffic allowed INTO that VLAN ( which really should be nothing - except for any remote access needed by authorized hosts )
the access-lists give you flexibility of being pretty secure and you can easily audit traffic being filtered by these acls
fahimAuthor Commented:
Thanks guys for the insights!!

While I put this design in place, is there someway I can solely monitor / record attempts by the guys attempting to have a look on the information available on these PCs ?
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Rich RumbleSecurity SamuraiCommented:
You can secure and monitor a windows PC without needing to place on a separate subnet, but Access Control Lists are a must. You have to trust your IT staff to a certain point, if you can't, you need a new staff. You can monitor using windows event log's, by turning up from the defaults to more verbose settings. The GFI agents are trustworthy, and can be setup to prevent tampering.
The easy way to secure the PC is to allow only certain users to access the RemoteDesktop group, by default anyone in the administrators group or the local admin, is allowed to RDP into a PC. You can also disallow interactive logon for users that have no reason the access those machiens:
Or move users to the Guest group...
fahimAuthor Commented:
Richrjumble, I need a bit of clarification on your statement that we can secure and monitor a windows PC without needing to place them on a separate subnet, but Access Control Lists are a must..". I was wondering isn't the only way to do this is to put these PCs that need to be protected on a separate IP/Port subnet on my core /edge switches, create a VLAN ip and bind various access lists to it for the traffic flowing in & out of this subnet?

Is there an easier method to protect using Access control lists?
Rich RumbleSecurity SamuraiCommented:
The windows firewall is capable of doing that, but you can also restrict on user account as opposed to IP/Subnet address. Doing username restrictions combines authentication and authorization. You could add more authorization by restricting subnets/pc's if you wish. You can prevent certain users/groups from mounting the C$ or print shares with account permissions rather than IP address. ACL's are typically associated with firewall/router rules...I should of said permissions instead :)

Segregation of traffic is a great best practice, keeping user subnets from reaching production subnets and the reverse, keep prod from accessing user. Separate subnets and access lists are good, but if someone you don't want to access xyz, comes in from a trusted subnet somehow, if your don't deny their account or group they are in, they can LIKELY still access the host you want to keep them off of.
Rich RumbleConnect With a Mentor Security SamuraiCommented:
I think permissions lend themselves to a faster and easier solution, nothing is perfect, but denying accounts is easier to do than to setup seperate subnets, firewall rules, static routes etc... Monitoring is also essential. GFI has a great product, and there are others, Snare is an opensource tool that is useful.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.