RE: Logging admin access to workstations
From: Michael Perez (mperez@taltrade.com)Date: 03/14/02
- Previous message: Charley Hamilton: "Re: A question about logon banners (long)"
- Maybe in reply to: Alan Cooper: "Logging admin access to workstations"
- Next in thread: Security: "Re: Logging admin access to workstations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 14 Mar 2002 13:05:41 -0600 From: "Michael Perez" <mperez@taltrade.com> To: "Alan Cooper" <imalcooper@yahoo.com>, <security-basics@securityfocus.com>
Start by turning on auditing on all machines. Specifically
Audit Account Logon Events - this will record the success or failure of a user to authenticate to the local computer across the network.
Audit Logon events - this records the success or failure of a user to interactively log on to the local machine.
Be sure to increase the size of your security log as it can fill up quick. This can be easily done through group policies.
Also check the VPN logs to match against the security logs to pinpoint the exact time she vpns from home.
I also use a product called Eventlog Monitor from GFI that continually scans eventlogs of machines and will email you depending on what type of action and severity is found.
MP
-----Original Message-----
From: Alan Cooper [mailto:imalcooper@yahoo.com]
Sent: Wednesday, March 13, 2002 12:22 PM
To: security-basics@securityfocus.com
Subject: Logging admin access to workstations
I have a potential hacker on our corporate LAN who has
network-wide administration rights and may be copying
confidential files from several executive
workstations. This is a Windows environment and the
workstations involved are Windows 2000 Pro and NT.
The person suspected is extremely sharp and I need to
do this without her knowledge. It is unlikely that
we could use a keyboard-logging program since she is
using a laptop (asking for the laptop may arise her
suspections). She also VPN's from home and I have no
access to her home systems.
Is there a program that we can run on Win 2000 and NT
workstations that will log all access attempts, tell
me what they are doing if access is granted, their IP
address, time of day, etc? Is there a better way
approach this problem?
Thanks for your help.
__________________________________________________
Do You Yahoo!?
Try FREE Yahoo! Mail - the world's greatest free email!
http://mail.yahoo.com/
This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies.
- Previous message: Charley Hamilton: "Re: A question about logon banners (long)"
- Maybe in reply to: Alan Cooper: "Logging admin access to workstations"
- Next in thread: Security: "Re: Logging admin access to workstations"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
