Solved

Log end user activity

Posted on 2013-01-18
3
912 Views
Last Modified: 2013-12-06
Hi,

I need to find an end user monitoring solution for a client. They would like to log specific events:
- Every network share and file accessed by the user
- Every document name printed by the user
- Every file copied from network shares to local machine
- Every file copied onto external media (USB, CD, DVD etc)

The system does not need to be able to block the end user from performing any of these actions, simply to log the details of it for audit purposes.

Any suggestions or thoughts appreciated.
Thanks
0
Comment
Question by:Roger Adams
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:mo_patel
ID: 38792343
firstly you need to enable auditing on the files folders where the sensitive info is kept then yes u can get the info.

One thing to bear in mind is that 'if you do want to track everything' will have too too much info there, take you ages to sift through it all, and not to mention fill up the disk space.  also will be very expensive.

I recommend you explain this to clients and only enable auditing on key files/folders.

a best practise for this kind of situations is once auditing is enabled to then use a SIEM utility to monitor the events and if a match is found to log the events into threads...

So basically you would have threads for:

i.e.
- logon events
- object access
- folder access etc
- log off events

To get event ID's use this link

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

One thing to NOTE is that there is no COPY event, its not that simple, so you will have to once enabled auidting and SIEM capture to test all this by accessing files, copying files etc.

One such solution is NNT LogTracker.........loads more on market, they are not free and not cheap.........
0
 
LVL 6

Expert Comment

by:mo_patel
ID: 38792358
OR if you do have loads of free time, good with SQL, you can use LogParser and write your own SIEM tool to download the logs into a SQL DB and then write your own queries to extract the info, will never be as good as a paid version,

but atleast its an alternative....
0
 
LVL 4

Accepted Solution

by:
JustMy2Cents earned 500 total points
ID: 38796204
You should give a look to a 3rd-party software solution called FileAudit, that allows tracking, auditing, reporting and alerting on all access to shares, files and folders on Windows servers.

Info and trial version:
http://www.isdecisions.com/products/fileaudit

P.S. I also noticed there is a new version coming (still in beta for now):
http://community.isdecisions.com/knowledgebase/articles/142333-fileaudit-4-beta-testing-program-how-to
0

Featured Post

Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question