Re: logging data accessed by user

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/26/05

• Next message: Kenneth Bryant: "Re: Event Viewer"
• Previous message: Roger Abell: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
• In reply to:(deleted message) jas0n: "logging data accessed by user"
• Next in thread: jas0n: "Re: logging data accessed by user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 26 Apr 2005 07:02:50 -0700

Before you implement this, consider whether it will actually do
what you are after. Yes, you could use a group that contains the
accounts of concern (I would highly recommend not using Users
or equivalent broad groups, but a more narrow custom group)
and set a SACL to trigger event messages on all accesses.

However, what I question is whether you would actually be able
to make use of the information, whether you would really monitor
the generated data and be able to detect "abnormal, suspect" access
patterns. Beyond that, I question whether even if you did monitor
the event log and detect such accesses within an actionable time
if then you could/would be able to do anything about it. One day
delay in taking action means the data travelled home that night.

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"jas0n" <no@email.here> wrote in message
news:MPG.1cd811ebfcc71ec4989685@news.microsoft.com...
> We want to log what data is being accessed by each user. Its been
> prompted by the large scale use of usb memory sticks. (We decided the
> benefits of them for our traveling laptop folk outweighed the downsides)
>
> Im thinking we cant log whats being copied to memory sticks in
> particular, but we should be able to log which user is accessing which
> files and when.
>
> Its a single w2k native domain, spread over many sites.
>
> This would give us an idea if large numbers of files the user wouldnt
> normally access at once are accessed. This would indicate they were
> being copied somewhere.
>
> What would be best to use for this?
>
> .... we already lock everything down with groups and access lists, etc -
> our management have the idea when users decide they are leaving for the
> competition they are copying all the relevant data they have access to
> and taking it with them.

• Next message: Kenneth Bryant: "Re: Event Viewer"
• Previous message: Roger Abell: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
• In reply to:(deleted message) jas0n: "logging data accessed by user"
• Next in thread: jas0n: "Re: logging data accessed by user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: logging data accessed by user ... I question whether even if you did monitor ... >> the event log and detect such accesses within an actionable time ... >> delay in taking action means the data travelled home that night. ... removable storage items including usb sticks, cameras, cdrw, floppies, ... (microsoft.public.win2000.security) Re: logging data accessed by user ... > and set a SACL to trigger event messages on all accesses. ... I question whether even if you did monitor ... > the event log and detect such accesses within an actionable time ... (microsoft.public.win2000.security) Re: logging data accessed by user ... I question whether even if you did monitor ... >> the event log and detect such accesses within an actionable time ... So we both see the potential high overhead and the potential for ... It is all in understanding what is "the watcher" of the untrusted. ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint