Dameware Connection - Security Breach

Posted on 2011-05-12
Last Modified: 2012-05-11
I have an employee in our IT department I suspect of using dameware to look over the shoulder of users with sensitive information (GM, HR, etc).  Is there a way to detect it when it happens?  Is there something I can install that will alert me when a dameware connection is established?  I'd like to catch him and terminate him if he's doing this.

Furthermore, if I can't catch him, is there a way to block it?  I'm sure there are common ports that I could block with a firewall, but are there other methods?
Question by:Taylor Huckstep
    LVL 25

    Expert Comment


    Perhaps look for the services?


    LVL 66

    Expert Comment

    Check the Security Log for logons with his userid, on the target machines in question. Cant hide those, without clearing the log. Then the log will ahve an entry saying it was cleared by user x.....

    Author Comment

    by:Taylor Huckstep
    The problem with Dameware, is that you can install the client and services remotely and silently, and remove them when you log off, so unless you catch the monitoring while it's going on, you won't see any trace of their monitoring.

    I know I can install a Dameware server that enforces certain security measures, like insisting users are notified before Dameware can connect, but we don't have that in place today.  

    I'm wondering if there's some software like little snitch for mac, that can monitor all incoming and outgoing connections, maybe.  I just don't want the overhead of every connection, but if that's the solution, I'll look for a little snitch type app.
    LVL 66

    Expert Comment

    Windows Firewall has logging as well. Might be worth looking to see if it catches the connections...

    Wont have any excess overhead from an app running in the background....In the firewall properties, go to the Advanced Tab, and you will see the logging....
    LVL 67

    Accepted Solution

    To install DW you need access to admin$ - that is, you need to be admin.
    To have invisible access, you need to be admin, too.
    So you need to have a lot of power to use DW.

    However, DW leaves a trace in the Security EventLog for everybody logging in.

    For blocking DameWare completely, you can use the Firewall (but changing the port would circumvent that), or install and disable the DW MRC service with removing changing privileges for admins (granting them to you before that).

    Author Closing Comment

    by:Taylor Huckstep
    I like the idea of installing it and disabling mrc thanks.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now