• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1297
  • Last Modified:

Dameware Connection - Security Breach

I have an employee in our IT department I suspect of using dameware to look over the shoulder of users with sensitive information (GM, HR, etc).  Is there a way to detect it when it happens?  Is there something I can install that will alert me when a dameware connection is established?  I'd like to catch him and terminate him if he's doing this.

Furthermore, if I can't catch him, is there a way to block it?  I'm sure there are common ports that I could block with a firewall, but are there other methods?
Taylor Huckstep
Taylor Huckstep
1 Solution
Rob KnightConsultantCommented:

Perhaps look for the services?



Check the Security Log for logons with his userid, on the target machines in question. Cant hide those, without clearing the log. Then the log will ahve an entry saying it was cleared by user x.....
Taylor HuckstepSenior Director, ITAuthor Commented:
The problem with Dameware, is that you can install the client and services remotely and silently, and remove them when you log off, so unless you catch the monitoring while it's going on, you won't see any trace of their monitoring.

I know I can install a Dameware server that enforces certain security measures, like insisting users are notified before Dameware can connect, but we don't have that in place today.  

I'm wondering if there's some software like little snitch for mac, that can monitor all incoming and outgoing connections, maybe.  I just don't want the overhead of every connection, but if that's the solution, I'll look for a little snitch type app.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Windows Firewall has logging as well. Might be worth looking to see if it catches the connections...

Wont have any excess overhead from an app running in the background....In the firewall properties, go to the Advanced Tab, and you will see the logging....
QlemoC++ DeveloperCommented:
To install DW you need access to admin$ - that is, you need to be admin.
To have invisible access, you need to be admin, too.
So you need to have a lot of power to use DW.

However, DW leaves a trace in the Security EventLog for everybody logging in.

For blocking DameWare completely, you can use the Firewall (but changing the port would circumvent that), or install and disable the DW MRC service with removing changing privileges for admins (granting them to you before that).
Taylor HuckstepSenior Director, ITAuthor Commented:
I like the idea of installing it and disabling mrc thanks.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now