?
Solved

monitor unavuthorized access to laptop w/ Windows 7 pro

Posted on 2013-06-03
5
Medium Priority
?
336 Views
Last Modified: 2013-06-09
Hi guys,

We have a new project which involved laptops which connects via VPN over 3G to the a centralized center of operations.

The client requests to be notified on any intrusion detection which may occur to this laptop (i.e. - USB mass storage device connection, Ethernet connection other than the pre-configured etc...)

Can you kindly recommend us on a product which is able to communicate with remote center - and which will notify in real-time on such breaches?

The laptops are running win 7 Pro x64.

Thanks in advance
0
Comment
Question by:IT_Group1
  • 3
5 Comments
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 39217950
Symantec EndPoint Protection has the restriction that you want including notification.
The issue is that these laptops presumably are not domain based, i.e. each user may use their own laptop?

using SNMP with evntwin these can be configured to send out an SNMPTRAP to a specific target when an event you designate occurs. (event notification requires the presence of a connection as well as having an SNMPTRAPD server to which this will be sent.)

Configuring event log forwarding might also be an option to consider i.e. when the VPN is established, the eventlog data will be sync into the windows 2008 server.

As noted earlier the difficulty I see is whether the laptops are ever controlled by the person/entity requesting these types of notifications.  A more secure method would be to allow the laptop user access to a terminal server session ONLY while the terminal server is configured not to allow any Local storage/printer attachment.)
0
 

Author Comment

by:IT_Group1
ID: 39218161
Thank you Arnold.
I've forwarded your recommendations to our IT staff. Will get back if any other information will be necessary.
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 39218340
1) Devicelock
http://www.devicelock.com/products/features.html

Tamper Protection. Configurable DeviceLock Administrators feature prevents anyone from tampering with DeviceLock settings locally, even users that have local PC system administration privileges.

Auditing. DeviceLock‘s auditing capability tracks user and file activity for specified device types, ports and network resources on a local computer. It can pre-filter audit activities by user/group, by day/hour, by port/device/protocol type, by reads/writes, and by success/failure events

Network-Awareness. Administrators can define different online vs. offline security policies for the same user account. A reasonable and often necessary setting on a mobile user’s laptop, for example, is to disable WiFi when docked to the corporate network and enable it when undocked.

Alerting. DeviceLock provides both SNMP and SMTP based alerting capabilities driven by DeviceLock DLP endpoint events for real time notification of sensitive user activities on protected endpoints on the network.

2) Splunk (or SIEM) type based using the evt or evtx log send (as syslog or from snare agent) from the AD or even from the client standalone if need to

http://www.splunk.com/view/splunk-app-for-windows/SP-CAAAHTE

Monitor CPU, memory, network and disk utilization across one or more systems
Monitor Windows Update successful and failed packages, application installations and application crashes on hosts across your environment
Monitor all Windows event logs across your environment, including Application, System and Security

Likewise Splunk has a Enterprise App security from most security device deployed within the Enterprise, pls see below
http://docs.splunk.com/Documentation/ES/2.4/CreateTA/Out-of-the-boxsourcetypes

E.g. OSSEC which has intrusion alert flagged centrally to Splunk as overall @ http://docs.splunk.com/Documentation/ES/latest/CreateTA/Example2OSSEC
0
 

Author Comment

by:IT_Group1
ID: 39232590
Guys, thanks for all the alternatives.
We still haven't decided, so for now I'll grant the point evenly.
0
 

Author Closing Comment

by:IT_Group1
ID: 39232592
Very good, thanks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question