Internal Security Issue

Our company has recently had an internal security problem with an employee using other passwords and logins to change security settings, look at documents, log in remotely to servers, etc.

Is anyone using or know of a good network montioring program that would document network activity?   It took us a few months to track the guy down and I'm looking for something that could make that process a little easier if (hopefully not) it ever happens again.

We're running about 50 computers, and like four servers.  All windows based.  We have about a hundred employees with logins, emails, etc.

thanks for any imput.
Who is Participating?
If this is a domain, then a logon script is a great start.   You can script out a username, PC name, logon time, etc...  anything you can query really.  Write the info out to a log file somewhere, and you have a nice log of all logons, when they did it, and from which machine.     It's not the end-all of processes mind you, but an excellent start.  And free to implement.  

I'm attaching a skeleton VBS script that I use  to log username, Time/date, and the Dell service tag #.   This can run right from the sysvol directory and log out to any location on the network.   By adding additional objItem items, you can include more info.

Spend some time into learning the vbs basics, especially of you are an AD admin....  

On Error Resume Next
Dim objNetwork, UserName 
Dim logserverunc

Set objNetwork = WScript.CreateObject("WScript.Network") 
Set fso = CreateObject("Scripting.FileSystemObject")
UserName = Lcase(objNetwork.UserName)
logserverunc = "\\<servername>\lslog\"

'Open the WMI and scan for the Bios Serial Number 
Set objWMIservice = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
set colitems = objWMIservice.ExecQuery("Select * from Win32_BIOS")

' Now pick out the Serial number from the WMI BIOS and create the log
For Each objitem In colitems
	'define the log file
	FiletoCreate = logserverunc & objItem.Path_.Server & ".txt"

	'First check to see if the User has a log, delete it if it exists. 
	If fso.FileExists(FiletoCreate) Then
	End If 

	'Create the new log file.
	Set objTextFile = fso.createTextFile(FiletoCreate)
	'Open the log file we just created		
	' OpenTextFile Method needs a Const value
	' ForAppending = 8 ForReading = 1, ForWriting = 2
	Const ForAppending = 8
	Set objTextFile = FSO.OpenTextFile(FiletoCreate,  ForAppending, True)
'	Write the information to the file using the .path_.server for the local netbios name 
	objTextFile.WriteLine(objItem.serialnumber & ";" &  objItem.Path_.Server& ";" & Date)


Open in new window

The windows security logs will track logons and logoffs to the servers.       In addition,  many admins, myself included, use logon scripts to write out additional info to a central location for log/logoff times.    

The best line of defense is to frequently change passwords, enforce a 45 day rotation on passwords, use a lockout after certain # of attempts, etc...    

If an employee knows the ID and PW to another account, there's really nothing you can do to prevent him from using it....    Unless you go with a 2 factor authentication method like an RSA solution or something....    

nightshftAuthor Commented:
I have a lockout in place and my passwords are set.  I was looking more to see if anyone used any sort of software that could track things like logins, locations where logins occurred, remote access tracking, time & date, etc..

I"ve never used logon scripts, guess that is one thing I could look at.

I've used SpectorSoft for monitoring and some forensic.  There are disclosure issues, as the software can get pretty detailed down to the apps, keystrokes, web, screen content, etc.  Works on Terminal Server too.  SQL database storage and admin dashboards, reports, etc.  Not free or cheap.  Now they start at 25-users for Spector360 (corporate/enterprise).  When we bought in, it was 50-user minimum.
Rich RumbleSecurity SamuraiCommented:
You can use a variety of software, be sure you don't get stuck on one single issue "can't see the forest for the trees" kind of thing. The default logging on windows, depending on OS, is typically very low if you want to monitor success and failures. Snare is a popular application for this, as well as GFI's SELM.
You can use an HIDS like OSSEC as well to look for things like "the first time a user logged onto a box" or failed login attempts. I believe you can also use this to look for group permission changes as well, like someone added to the local admins when they weren't before...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.