How to audit one specific user?

Discussion in 'Server Networking' started by SteveP, Jun 15, 2006.

  1. SteveP

    SteveP Guest

    May I have suggestions on how to audit one specific user on my network that I
    suspect is downloading inappropriate music, video and other materials?

    I don't even know all that might be happening, thus the need to find out.
     
    SteveP, Jun 15, 2006
    #1
    1. Advertisements

  2. Hi Steve,

    It appears to be a cross-Newsgroup posting and I have already answered in
    that thread. Please check my answer there.

    In the future, I'd like to suggest you not to cross-post the same question
    in multiple newsgroups. This will help our engineers work on your question
    more efficiently. Your understanding and cooperation is appreciated.

    For your convenience, I have included my reply as follows:
    =========================
    Hi Steve,

    I think just block web site is not enough. I think you should block data
    stream. Based on knowledge, ISA can do such job. If you wish, you can post
    in ISA newsgroup for more information about this. Sorry, I'm not an ISA
    specialist.

    Have a good day!
    ===========================


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 16, 2006
    #2
    1. Advertisements

  3. SteveP

    SteveP Guest

    Hi Vincent:

    I feel my two questions were seperate and distinct.

    One dealt with a third party firewall and what to apply filters to.

    The second question pertains to auditing a particular user on my network to
    look for inappropriate behavior.

    I welcome your help as always!
     
    SteveP, Jun 16, 2006
    #3
  4. Hi Steve,

    Sorry for my mistake.

    Here is the situation:

    We can monitor the network traffic by using firewall but the precondition
    is the network traffic will go through the firewall.

    For example, when you try to access a external web site, the data stream
    goes through the firewall but if you try to access an resource internal,
    the traffice may not through the firewall and we are unable to monitor it.


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 16, 2006
    #4
  5. SteveP

    SteveP Guest

    Hi Vincent:

    I'm sorry for not being clear with my questions.

    My 3COM router (T1 connection) and my Cox Cable router (cabe connection) are
    both also firewalls.

    Both firewalls have a place in them where I can type the addresses of sites
    outside my network on the internet that I do not want my users to go to.
    Such as Napster, Bearshare, bittorrent and places like that. I want to stop
    the downloading of music, videos, porn, etc.

    I don't know the names and addresses of the major sites that my users go to
    for the purpose of downloading this non-work related stuff.

    So, I am asking for a link (or list) to a list of these major sites so I can
    enter them in the firewalls and prevent user access to them.
     
    SteveP, Jun 16, 2006
    #5
  6. SteveP

    SteveP Guest

    Hi Vincent:

    The second question deals with something else. I have been ordered to allow
    a 12 year old child onto my network for the summer. With all the priviledges
    of a regular user. So, I set up a user account, internet, e-mail, printers,
    everything just like a regular user. But this is not a regular user.
    Accidental damage could be done to important data on the network by this
    youngster.

    I want to heavily monitor this one specific computer so I can tell where the
    young user is going and what the user is downloading, etc. To me this is
    self defense.

    How can I hevily monitor/audit the activities of this one user and computer?
     
    SteveP, Jun 16, 2006
    #6
  7. 1. Don't have him in the normal Domain Users Group.
    2. Make a new Group. Call it "Little Brats" or something creative :)
    3. Add the kid to the Group
    4. Make the Group "Little Brats" the Primary group of the account.
    5. Remove the kid from the Domain Users Group
    6. Now he can only access whatever the Little Brats Group (and the group
    "Authenticated Users") is given permission to access,....which initially,
    starting out,..is pretty much nothing.
     
    Phillip Windell, Jun 16, 2006
    #7
  8. SteveP

    SteveP Guest

    Hi Philip:

    Sounds good.

    Any idea hw I can monitor what the young person is up to as in downloading,
    etc.?
     
    SteveP, Jun 16, 2006
    #8
  9. I'm afraid the "Star Trek" era has not yet arrived. :)

    Firewall devices typically keep logs of the internet access. But getting the
    data out of the logs in a quick, convienient, and usable format is another
    story. There are special products (read $$$$) that are designed for that
    type of stuff that work as "add-ons" to firewalls and/or proxy servers.

    Internal accesses can be audited by turning on auditing for the resource,...
    but keep in mind that you are auditing the resources being accessed not the
    user accessing them. You can't very well turn on auditing for every
    possible resource,...there isn't anything large and powerful enough to
    manage that ammount of data.

    Then there are logs within Applications.....

    Then there are logs produced by database systems like MS SQL Server,....

    Then there are Web Server logs....

    Then there are.....,and then......, and then......

    In otherwords the answer is,..... I'm afraid the "Star Trek" era has not yet
    arrived where you just ask the computer what the little brat has been doing
    and it tells you all of it in a nice pleasant voice. :)
     
    Phillip Windell, Jun 16, 2006
    #9
  10. SteveP

    SteveP Guest

    Yes, it's a big issue right now with me. I found a freeware monitoring
    program called Advanced Remote, but it is cumbersome.

    I can't believe I can't monitor a computer on the network I am responsible
    for.
     
    SteveP, Jun 16, 2006
    #10
  11. PC.

    Those warnings are typically overated and exaggerated. There is a lot of
    "fear mongering" out there. Virus & spyware typically are only monitoring
    the one thing or catagory of things that they are designed to be particulary
    interested in. In reality, they don't monitor "all the actions" of a user
    as most of the warnings try to make you think.
     
    Phillip Windell, Jun 16, 2006
    #11
  12. I have no trouble believing it at all. On the other hand I do not believe
    people (fully) when they claim they can,...particularly in an efficient way
    that is actually worth bothering with.

    I am fully capable of watching Star Trek or other Hollywood Movies and then
    not try to expect I can do on my real-life network what they do in the
    movies. ;-)

    Compared to the fantasy of movies,...real life computer systems still start
    with a "pull rope" and we still rub two sticks together to start a fire.
     
    Phillip Windell, Jun 16, 2006
    #12
  13. SteveP

    SteveP Guest

    Thanks, Gents.

    I had hoped to locate a list of the most commomly accessed and abused sites
    for downloads and P2P.

    I'm surprised that everyone on a network doesn't have a list they filter out
    on their firewall. Do you other network guys and gals even filter anything
    out?
    --
    Thanks, Steve


     
    SteveP, Jun 16, 2006
    #13
  14. Now as far as Internet browsing control,...that you might find. But most of
    those are going to be accompanied by web filtering applications that you
    have to buy ($$$) that uses the list, and the list you have to pay an
    ongoing subscription. SurfControl (www.surfcontrol.com) is one such
    product, but there are many others out there.

    A couple problems with those lists:

    1. They constantly change. It is almost as bad as keeping up the the email
    addresses used by spammers that are already fake to start with.

    2. Nobody can really agree on what is a "bad" site.

    3. The lists may have to be formated in a special way for an application to
    use them and there is no real standard "one-size-fits-all" format.

    4. Some filtering systems don't even use a formatted list,...the items are
    stored in a proprietary database or in the Windows Registry. Heck even
    Internet Explorer stores all of the Security Zone entries in the registry
    with each "site" being a separate and distinct registry entry. A huge site
    list will create a Registry of a massive size,...guess what that does to
    Windows's performance considering that most (if not all) of the registry is
    held in RAM while Windows is running.

    The computer industry is still in the "Bronze Age" in the grand scheme of
    things,...but at least we are past the Stone Age (like Punch Cards, old Main
    Frames and DOS)
    :)

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Deployment Guidelines for ISA Server 2004 Enterprise Edition
    http://www.microsoft.com/technet/prodtechnol/isa/2004/deploy/dgisaserver.mspx
    -----------------------------------------------------
     
    Phillip Windell, Jun 16, 2006
    #14
  15. SteveP

    Bryce Guest

    Have you thought about Watchguard? I have an x700 at our gateway and have
    the webblocker service running. It blocks pretty much anything that is
    undesireable with a database it keeps current locally. You can choose which
    types of things the users can't get to. It's kept up to date as far as we
    can tell. There is a fee for it of course, but it is well worth it's money;
    it keeps people working and on task.

    If it's too much of a problem with a worker though, it seems cheaper to get
    rid of 'em.

    Just my 2 cents.

    Bryce.


     
    Bryce, Jun 17, 2006
    #15
  16. Hi Steve,

    It is really a long thread. :)

    Actually I think your concern is you can monitor the network traffic but it
    is complex. Right? It is true. All information we get is from the firewall
    log which is other than some remote controll software. However, I suspect
    it is not your purpose that to monitor the youngster's all activity. :)


    Best regards,

    Vincent Xu
    Microsoft Online Partner Support

    ======================================================
    Get Secure! - www.microsoft.com/security
    ======================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others
    may learn and benefit from this issue.
    ======================================================
    This posting is provided "AS IS" with no warranties,and confers no rights.
    ======================================================



    --------------------
     
    Vincent Xu [MSFT], Jun 19, 2006
    #16
  17. Yep. I know. I also notice that AV companies don't mind allowing this
    Exactly!

    Same with the Zone Alarm and other personal firewall stuff.
     
    Phillip Windell, Jun 19, 2006
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.