RE: Remote OS Monitoring

Jason,

If you have a few workstations you want to monitor, you may choose to do
the following:

1) disable the use of EFS through Group Policy
2) enable auditing
3) audit the use of the Windows attrib program

Local manipulations of the files and directories result in events being
written to the local event logs. These logs will need to be monitored
for specific event IDs by hand or with a custom VB script, for instance.

Attrib is used to remove masking bits.

Alternatively, if you want to monitor a large number of machines, and
have the budget, you can use NetIQ or Prism Microsystems' suite of
products.

Each of the examples you want to detect will trigger an event. The
events you can monitor for. If you can remove administrative access
from the user(s) you are concerned with, you will have solved most of
your concerns. Non-admins could still use EFS.

Best Regards,
Scott Ramsdell



-----Original Message-----
From: Jason T. Hallahan [mailto:jthallah@xxxxxxxxx]
Sent: Tuesday, May 23, 2006 12:01 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Remote OS Monitoring

Hello and good day,

Say you have a Windows environment where all clients reside on the same
workgroup, connect through a Domain Controller, and are administered by
Active Directory. Are there any tools or techniques out there that allow
for remote monitoring (somewhat if not totally
transparent) at any finer level of granularity? Specifically, being able
to tell things like:

*User of a box has implemented EFS (Encrypted File System) possible to
hide information.
*User of a box has hidden a directory or file using either Windows
functions or 3rd party software.
*User is unmasking and/or viewing hidden/protected system files.
*User is removing Read-Only protection on a directory or file.
*User is manipulating SYSTEM.DAT, NTUSER.DAT, INDEX.DAT or any other
registry entries or registry hives.

Does anyone know of such capabilities?

Thanks,
Jason


This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent to you in error, please contact the sender for instructions concerning return or destruction, and do not use or disclose the contents to others.

Relevant Pages

  • Re: PCI, EFS and the future?
    ... Brandon just setup a zabbix server on our stack 2 here to monitor the ... wellpoint server as well as go out and monitor our portals. ... EFS is thus not the be all ... PCI, EFS and the future? ...
    (Security-Basics)
  • Re: Necessary file?
    ... Scanned by ScanMail for Lotus Notes 2.5 ... 2004 Windows MVP "Winny" Award ... >> the filename explore.exe and creates the following registry entries so ... >> Monitor = explor.exe ...
    (microsoft.public.windowsxp.general)
  • Re: Necessary file?
    ... That is what one would assume at first glance of lpt..... ... 2004 Windows MVP "Winny" Award ... >>>the filename explore.exe and creates the following registry entries so ... >>>Monitor = explor.exe ...
    (microsoft.public.windowsxp.general)
  • Re: OT: my new PC rocks!!
    ... I'm alright with this because I kept the big monitor box (because it's ... that Windows may recognise "plug and play" monitors better...but, ... X-Windows really needs one simple-ish addition (which was originally ... Red Hat use "MD5 sums" on all of the ISO images for you to ...
    (alt.lang.asm)
  • Re: XP setup screen does not fill screen
    ... to windows and change the resolution...I told him how can i change the ... screen nicely...but its the setup that is the problem. ... Its an excellent monitor otherwise..but rotten support. ... Again Video card with HDTV seems limiting itself to the TV mode. ...
    (rec.video.desktop)