Internal Security Issue

Posted on 2010-01-06
Last Modified: 2013-12-04
Our company has recently had an internal security problem with an employee using other passwords and logins to change security settings, look at documents, log in remotely to servers, etc.

Is anyone using or know of a good network montioring program that would document network activity?   It took us a few months to track the guy down and I'm looking for something that could make that process a little easier if (hopefully not) it ever happens again.

We're running about 50 computers, and like four servers.  All windows based.  We have about a hundred employees with logins, emails, etc.

thanks for any imput.
Question by:nightshft
    LVL 33

    Expert Comment

    The windows security logs will track logons and logoffs to the servers.       In addition,  many admins, myself included, use logon scripts to write out additional info to a central location for log/logoff times.    

    The best line of defense is to frequently change passwords, enforce a 45 day rotation on passwords, use a lockout after certain # of attempts, etc...    

    If an employee knows the ID and PW to another account, there's really nothing you can do to prevent him from using it....    Unless you go with a 2 factor authentication method like an RSA solution or something....    


    Author Comment

    I have a lockout in place and my passwords are set.  I was looking more to see if anyone used any sort of software that could track things like logins, locations where logins occurred, remote access tracking, time & date, etc..

    I"ve never used logon scripts, guess that is one thing I could look at.

    LVL 33

    Accepted Solution

    If this is a domain, then a logon script is a great start.   You can script out a username, PC name, logon time, etc...  anything you can query really.  Write the info out to a log file somewhere, and you have a nice log of all logons, when they did it, and from which machine.     It's not the end-all of processes mind you, but an excellent start.  And free to implement.  

    I'm attaching a skeleton VBS script that I use  to log username, Time/date, and the Dell service tag #.   This can run right from the sysvol directory and log out to any location on the network.   By adding additional objItem items, you can include more info.

    Spend some time into learning the vbs basics, especially of you are an AD admin....  

    On Error Resume Next
    Dim objNetwork, UserName 
    Dim logserverunc
    Set objNetwork = WScript.CreateObject("WScript.Network") 
    Set fso = CreateObject("Scripting.FileSystemObject")
    UserName = Lcase(objNetwork.UserName)
    logserverunc = "\\<servername>\lslog\"
    'Open the WMI and scan for the Bios Serial Number 
    Set objWMIservice = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    set colitems = objWMIservice.ExecQuery("Select * from Win32_BIOS")
    ' Now pick out the Serial number from the WMI BIOS and create the log
    For Each objitem In colitems
    	'define the log file
    	FiletoCreate = logserverunc & objItem.Path_.Server & ".txt"
    	'First check to see if the User has a log, delete it if it exists. 
    	If fso.FileExists(FiletoCreate) Then
    	End If 
    	'Create the new log file.
    	Set objTextFile = fso.createTextFile(FiletoCreate)
    	'Open the log file we just created		
    	' OpenTextFile Method needs a Const value
    	' ForAppending = 8 ForReading = 1, ForWriting = 2
    	Const ForAppending = 8
    	Set objTextFile = FSO.OpenTextFile(FiletoCreate,  ForAppending, True)
    '	Write the information to the file using the .path_.server for the local netbios name 
    	objTextFile.WriteLine(objItem.serialnumber & ";" &  objItem.Path_.Server& ";" & Date)

    Open in new window

    LVL 32

    Assisted Solution

    I've used SpectorSoft for monitoring and some forensic.  There are disclosure issues, as the software can get pretty detailed down to the apps, keystrokes, web, screen content, etc.  Works on Terminal Server too.  SQL database storage and admin dashboards, reports, etc.  Not free or cheap.  Now they start at 25-users for Spector360 (corporate/enterprise).  When we bought in, it was 50-user minimum.
    LVL 38

    Expert Comment

    by:Rich Rumble
    You can use a variety of software, be sure you don't get stuck on one single issue "can't see the forest for the trees" kind of thing. The default logging on windows, depending on OS, is typically very low if you want to monitor success and failures. Snare is a popular application for this, as well as GFI's SELM.
    You can use an HIDS like OSSEC as well to look for things like "the first time a user logged onto a box" or failed login attempts. I believe you can also use this to look for group permission changes as well, like someone added to the local admins when they weren't before...

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now