Swift
asked on
Catching peeping toms
Involved in maintaining internal security, what are my options if we want to make sure that some 'high value' desktops are adequately protected from all 'peeping toms' within our organisation, even if they include our internal IT members having local admin rights on those desktops.
The desktops belong to senior management and I would like to keep them secure from all unwanted snoopers.
I cannot detach them from the windows domain, so domain admins remain within the trusted zone. I was looking for some utility that logs all incoming IP requests for terminal connection (not only mstsc) and the time spent by these sniffers ? Something that would enable me to log all remote activities being performed on these specific systems and available for analysis later, would be very helpful.
The desktops belong to senior management and I would like to keep them secure from all unwanted snoopers.
I cannot detach them from the windows domain, so domain admins remain within the trusted zone. I was looking for some utility that logs all incoming IP requests for terminal connection (not only mstsc) and the time spent by these sniffers ? Something that would enable me to log all remote activities being performed on these specific systems and available for analysis later, would be very helpful.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can secure and monitor a windows PC without needing to place on a separate subnet, but Access Control Lists are a must. You have to trust your IT staff to a certain point, if you can't, you need a new staff. You can monitor using windows event log's, by turning up from the defaults to more verbose settings. http://www.gfi.com/eventsmanager The GFI agents are trustworthy, and can be setup to prevent tampering.
The easy way to secure the PC is to allow only certain users to access the RemoteDesktop group, by default anyone in the administrators group or the local admin, is allowed to RDP into a PC. You can also disallow interactive logon for users that have no reason the access those machiens: http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.group_policy&tid=8915889a-f1cb-4c93-9ad0-b4606da72902&cat=&lang=&cr=&sloc=&p=1
Or move users to the Guest group...
-rich
The easy way to secure the PC is to allow only certain users to access the RemoteDesktop group, by default anyone in the administrators group or the local admin, is allowed to RDP into a PC. You can also disallow interactive logon for users that have no reason the access those machiens: http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.group_policy&tid=8915889a-f1cb-4c93-9ad0-b4606da72902&cat=&lang=&cr=&sloc=&p=1
Or move users to the Guest group...
-rich
ASKER
Richrjumble, I need a bit of clarification on your statement that we can secure and monitor a windows PC without needing to place them on a separate subnet, but Access Control Lists are a must..". I was wondering isn't the only way to do this is to put these PCs that need to be protected on a separate IP/Port subnet on my core /edge switches, create a VLAN ip and bind various access lists to it for the traffic flowing in & out of this subnet?
Is there an easier method to protect using Access control lists?
Is there an easier method to protect using Access control lists?
The windows firewall is capable of doing that, but you can also restrict on user account as opposed to IP/Subnet address. Doing username restrictions combines authentication and authorization. You could add more authorization by restricting subnets/pc's if you wish. You can prevent certain users/groups from mounting the C$ or print shares with account permissions rather than IP address. ACL's are typically associated with firewall/router rules...I should of said permissions instead :)
Segregation of traffic is a great best practice, keeping user subnets from reaching production subnets and the reverse, keep prod from accessing user. Separate subnets and access lists are good, but if someone you don't want to access xyz, comes in from a trusted subnet somehow, if your don't deny their account or group they are in, they can LIKELY still access the host you want to keep them off of.
-rich
Segregation of traffic is a great best practice, keeping user subnets from reaching production subnets and the reverse, keep prod from accessing user. Separate subnets and access lists are good, but if someone you don't want to access xyz, comes in from a trusted subnet somehow, if your don't deny their account or group they are in, they can LIKELY still access the host you want to keep them off of.
-rich
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
While I put this design in place, is there someway I can solely monitor / record attempts by the guys attempting to have a look on the information available on these PCs ?