Re: logging data accessed by user

From: sam (sam_at_discussions.microsoft.com)
Date: 04/28/05 

Date: Thu, 28 Apr 2005 08:32:11 -0700

Hi Guys,

Have a look at Intrust software from quest. Its a nice tool for logs.

"jas0n" wrote:

> In article <MPG.1cd8cadd39a36324989688@news.microsoft.com>,
> no@email.here says...
> > In article <#vgMXgmSFHA.3444@tk2msftngp13.phx.gbl>, mvpNOSpam@asu.edu
> > says...
> > > Before you implement this, consider whether it will actually do
> > > what you are after. Yes, you could use a group that contains the
> > > accounts of concern (I would highly recommend not using Users
> > > or equivalent broad groups, but a more narrow custom group)
> > > and set a SACL to trigger event messages on all accesses.
> > >
> > > However, what I question is whether you would actually be able
> > > to make use of the information, whether you would really monitor
> > > the generated data and be able to detect "abnormal, suspect" access
> > > patterns. Beyond that, I question whether even if you did monitor
> > > the event log and detect such accesses within an actionable time
> > > if then you could/would be able to do anything about it. One day
> > > delay in taking action means the data travelled home that night.
> > >
> >
> > Yes, its one of these top level 'wish list' items that just wont work in
> > the real world - that was my thinking as well. It would put a general
> > strain on things and hardly be utilised.
> >
> > I mean, what could you call the group for starters, the 'untrusted'? ;)
> >
> > I guess it may give them an idea of what could have gone ... although,
> > its not like we're internal country security or something!
> >
>
> ive since found gfi.com do a product that can lock down using groups all
> removable storage items including usb sticks, cameras, cdrw, floppies,
> etc ...
>
> .... that would go some way to only giving access to removing data using
> these devices but doesnt stop them simply printing it and putting it in
> the briefcase!!
>
>