Click here to get back home

Auditing what a user does -possible software ideas.
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Auditing what a user does -possible software ideas. David Naffy 04-09-2008
Posted by David Naffy on April 9, 2008, 6:24 am
Please log in for more thread options
 Hi there,

We've a requirement to audit certain users as to EXACTLY what they access
all day long. This is mainly for use through VPN as well (we use Microsoft
VPN server). This requirement is quite 'oh log everything please' from the
people asking us to implement so it is not very specific.

What i believe they want is:
See what time a user connects. See what they connect to. See what shares
they access and see what they do. See how long they are connected to VPN for
and see what they have done, what servers they have been on etc. Really
anything that involves server access more than desktop.

They want this logged to a central place so they (or me) can run reports
against it. A typical report may be:
"Can you tell me why user A was connected to VPN. I'm concerned why they
needed to access. Can you find out roughly what they did" OR
"Can you check who has been logging on to server A. People should not be for
any reason"

I don't want to script any of these myself and don't want a home built
option to suit their needs.

What software would be ideal for this? We would obviously look to be
evaluating a few.

Or more interesting - has anyone had similiar requirements and what have you
implemented?


Would appreciate and help or comments.

Thanks.



Posted by Al Dunbar on April 9, 2008, 8:02 pm
Please log in for more thread options
 And if the same people said they had a requirement to build a production
facility on Mars next fall, I guess that would pretty much make it actually
happen, wouldn't it? What if they had a requirement for the software
development division to come up with marketing software that would allow
them to take over the sector from all their competitors?

If only it were so easy to accomplish things as to just declare requirements
for others to fulfil... sigh...

There is no point in non-technical people in your company asking for things
without their first being a feasibility study of some kind to see, for
example, whether these things are even possible. Rather than asking for
everything they think they might want while hoping that what they get will
meet their minimum requirements, they would be far better off stating what
their actual requirements are. Given a set of realistic goals, you might
stand half a chance of coming close to what is really needed.

That said, the simplest solution would be for those needing the audit
information to sit beside the users and actually observe what they are
doing. And if they need to know things like why a particular user needed to
access something they could simply ask the person to explain. No amount of
auditing using technologies available today is capable of revealing why a
user has done something. This may seem like overkill (it is), but they
should realize that simply knowing what a person accesses could feasibly
take the same level of mental exertion as the task of accessing the
information in the first place.

And further, if they want the audit info to be logged centrally, then they
are likely going to reduce the VPN user's productivity by beating up the
available bandwidth.

Given that you seem to be only able to guess as to what they might actually
want, I would strongly recommend that you formally ask them to specify what
it is they need (and why they need it) so you can begin a dialog that might
actually get them somewhere.

I agree that you definitely do not want this to become a scripting project,
as it will never end and you will most likely be seen as the weak link as a
result. Better to offer to write the script that will ensure that the
production facility will open on Mars in the fall.

As far as commercial software to do this, well, again, they need to specify
what it is they actually need. If their request is not particularly unusual,
surely this kind of software must be readily available. Maybe someone else
has seen it somewhere.


/Al

> Hi there,
>
> We've a requirement to audit certain users as to EXACTLY what they access
> all day long. This is mainly for use through VPN as well (we use Microsoft
> VPN server). This requirement is quite 'oh log everything please' from the
> people asking us to implement so it is not very specific.
>
> What i believe they want is:
> See what time a user connects. See what they connect to. See what shares
> they access and see what they do. See how long they are connected to VPN
> for and see what they have done, what servers they have been on etc.
> Really anything that involves server access more than desktop.
>
> They want this logged to a central place so they (or me) can run reports
> against it. A typical report may be:
> "Can you tell me why user A was connected to VPN. I'm concerned why they
> needed to access. Can you find out roughly what they did" OR
> "Can you check who has been logging on to server A. People should not be
> for any reason"
>
> I don't want to script any of these myself and don't want a home built
> option to suit their needs.
>
> What software would be ideal for this? We would obviously look to be
> evaluating a few.
>
> Or more interesting - has anyone had similiar requirements and what have
> you implemented?
>
>
> Would appreciate and help or comments.
>
> Thanks.
>
>



Posted by lforbes on April 9, 2008, 11:11 pm
Please log in for more thread options
Hi,

I, personally, have not found any 3rd party software to log what people "do"
on the computer except KeyLogger which runs locally and logs keystrokes.

I personally log two things:

Logons and Logoffs using MySql Server with KIX login scripts.
All Internet Traffic using Microsoft ISA 2004 with Authentication enabled.

I use NTFS to restrict what users can access what files so I really don't
care how many times they open their My Documents. They have no access to
anything they don't need to have access to so that isn't an issue.

I also use Mandatory profiles and folder redirection and I restrict what
applications they can run.

I lock everything down tight with Group Policy also.

I have Windows 2003 R2 with File Type Manager running that restricts my
users from saving any file types except .txt, .doc, .xls etc and the ones
needed for OS like .dat.

My policy is lock everthing as tight as possible and then open up access as
needed. Then I have no reason to log what they do because they are doing what
they are allowed to do.

Cheers,
Lara


"David Naffy" wrote:

> Hi there,
>
> We've a requirement to audit certain users as to EXACTLY what they access
> all day long. This is mainly for use through VPN as well (we use Microsoft
> VPN server). This requirement is quite 'oh log everything please' from the
> people asking us to implement so it is not very specific.
>
> What i believe they want is:
> See what time a user connects. See what they connect to. See what shares
> they access and see what they do. See how long they are connected to VPN for
> and see what they have done, what servers they have been on etc. Really
> anything that involves server access more than desktop.
>
> They want this logged to a central place so they (or me) can run reports
> against it. A typical report may be:
> "Can you tell me why user A was connected to VPN. I'm concerned why they
> needed to access. Can you find out roughly what they did" OR
> "Can you check who has been logging on to server A. People should not be for
> any reason"
>
> I don't want to script any of these myself and don't want a home built
> option to suit their needs.
>
> What software would be ideal for this? We would obviously look to be
> evaluating a few.
>
> Or more interesting - has anyone had similiar requirements and what have you
> implemented?
>
>
> Would appreciate and help or comments.
>
> Thanks.
>
>
>

Similar ThreadsPosted
Auditing user OU Changes February 14, 2008, 11:48 am
auditing user access September 13, 2007, 8:37 am
Login Auditing June 17, 2005, 11:05 am
Auditing Security July 22, 2005, 1:21 pm
Firewall Software and ASP .NET February 14, 2006, 3:10 pm
cannot install software January 10, 2007, 6:44 pm
Class on Rights and Auditing July 18, 2005, 11:41 am
Auditing on a member server November 9, 2005, 2:30 pm
Auditing Workstation logons from DC January 24, 2006, 7:29 pm
Auditing process kills February 28, 2007, 2:01 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap