Dameware Connection - Security Breach

I have an employee in our IT department I suspect of using dameware to look over the shoulder of users with sensitive information (GM, HR, etc).  Is there a way to detect it when it happens?  Is there something I can install that will alert me when a dameware connection is established?  I'd like to catch him and terminate him if he's doing this.

Furthermore, if I can't catch him, is there a way to block it?  I'm sure there are common ports that I could block with a firewall, but are there other methods?
Taylor HuckstepSenior Director, ITAsked:
Who is Participating?
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
To install DW you need access to admin$ - that is, you need to be admin.
To have invisible access, you need to be admin, too.
So you need to have a lot of power to use DW.

However, DW leaves a trace in the Security EventLog for everybody logging in.

For blocking DameWare completely, you can use the Firewall (but changing the port would circumvent that), or install and disable the DW MRC service with removing changing privileges for admins (granting them to you before that).
Rob KnightConsultantCommented:

Perhaps look for the services?



Check the Security Log for logons with his userid, on the target machines in question. Cant hide those, without clearing the log. Then the log will ahve an entry saying it was cleared by user x.....
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Taylor HuckstepSenior Director, ITAuthor Commented:
The problem with Dameware, is that you can install the client and services remotely and silently, and remove them when you log off, so unless you catch the monitoring while it's going on, you won't see any trace of their monitoring.

I know I can install a Dameware server that enforces certain security measures, like insisting users are notified before Dameware can connect, but we don't have that in place today.  

I'm wondering if there's some software like little snitch for mac, that can monitor all incoming and outgoing connections, maybe.  I just don't want the overhead of every connection, but if that's the solution, I'll look for a little snitch type app.
Windows Firewall has logging as well. Might be worth looking to see if it catches the connections...

Wont have any excess overhead from an app running in the background....In the firewall properties, go to the Advanced Tab, and you will see the logging....
Taylor HuckstepSenior Director, ITAuthor Commented:
I like the idea of installing it and disabling mrc thanks.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.