Sign in with
Sign up | Sign in
Your question

logging data accessed by user

Tags:
  • Windows
Last response: in Windows 2000/NT
Share
Anonymous
April 26, 2005 1:54:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

We want to log what data is being accessed by each user. Its been
prompted by the large scale use of usb memory sticks. (We decided the
benefits of them for our traveling laptop folk outweighed the downsides)

Im thinking we cant log whats being copied to memory sticks in
particular, but we should be able to log which user is accessing which
files and when.

Its a single w2k native domain, spread over many sites.

This would give us an idea if large numbers of files the user wouldnt
normally access at once are accessed. This would indicate they were
being copied somewhere.

What would be best to use for this?

..... we already lock everything down with groups and access lists, etc -
our management have the idea when users decide they are leaving for the
competition they are copying all the relevant data they have access to
and taking it with them.

More about : logging data accessed user

Anonymous
April 26, 2005 1:54:21 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Before you implement this, consider whether it will actually do
what you are after. Yes, you could use a group that contains the
accounts of concern (I would highly recommend not using Users
or equivalent broad groups, but a more narrow custom group)
and set a SACL to trigger event messages on all accesses.

However, what I question is whether you would actually be able
to make use of the information, whether you would really monitor
the generated data and be able to detect "abnormal, suspect" access
patterns. Beyond that, I question whether even if you did monitor
the event log and detect such accesses within an actionable time
if then you could/would be able to do anything about it. One day
delay in taking action means the data travelled home that night.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"jas0n" <no@email.here> wrote in message
news:MPG.1cd811ebfcc71ec4989685@news.microsoft.com...
> We want to log what data is being accessed by each user. Its been
> prompted by the large scale use of usb memory sticks. (We decided the
> benefits of them for our traveling laptop folk outweighed the downsides)
>
> Im thinking we cant log whats being copied to memory sticks in
> particular, but we should be able to log which user is accessing which
> files and when.
>
> Its a single w2k native domain, spread over many sites.
>
> This would give us an idea if large numbers of files the user wouldnt
> normally access at once are accessed. This would indicate they were
> being copied somewhere.
>
> What would be best to use for this?
>
> .... we already lock everything down with groups and access lists, etc -
> our management have the idea when users decide they are leaving for the
> competition they are copying all the relevant data they have access to
> and taking it with them.
Anonymous
April 27, 2005 3:02:42 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <#vgMXgmSFHA.3444@tk2msftngp13.phx.gbl>, mvpNOSpam@asu.edu
says...
> Before you implement this, consider whether it will actually do
> what you are after. Yes, you could use a group that contains the
> accounts of concern (I would highly recommend not using Users
> or equivalent broad groups, but a more narrow custom group)
> and set a SACL to trigger event messages on all accesses.
>
> However, what I question is whether you would actually be able
> to make use of the information, whether you would really monitor
> the generated data and be able to detect "abnormal, suspect" access
> patterns. Beyond that, I question whether even if you did monitor
> the event log and detect such accesses within an actionable time
> if then you could/would be able to do anything about it. One day
> delay in taking action means the data travelled home that night.
>

Yes, its one of these top level 'wish list' items that just wont work in
the real world - that was my thinking as well. It would put a general
strain on things and hardly be utilised.

I mean, what could you call the group for starters, the 'untrusted'? ;) 

I guess it may give them an idea of what could have gone ... although,
its not like we're internal country security or something!
Related resources
Anonymous
April 27, 2005 3:02:43 AM

Archived from groups: microsoft.public.win2000.security (More info?)

"jas0n" <no@email.here> wrote in message
news:MPG.1cd8cadd39a36324989688@news.microsoft.com...
> In article <#vgMXgmSFHA.3444@tk2msftngp13.phx.gbl>, mvpNOSpam@asu.edu
> says...
> > Before you implement this, consider whether it will actually do
> > what you are after. Yes, you could use a group that contains the
> > accounts of concern (I would highly recommend not using Users
> > or equivalent broad groups, but a more narrow custom group)
> > and set a SACL to trigger event messages on all accesses.
> >
> > However, what I question is whether you would actually be able
> > to make use of the information, whether you would really monitor
> > the generated data and be able to detect "abnormal, suspect" access
> > patterns. Beyond that, I question whether even if you did monitor
> > the event log and detect such accesses within an actionable time
> > if then you could/would be able to do anything about it. One day
> > delay in taking action means the data travelled home that night.
> >
>
> Yes, its one of these top level 'wish list' items that just wont work in
> the real world - that was my thinking as well. It would put a general
> strain on things and hardly be utilised.
>
> I mean, what could you call the group for starters, the 'untrusted'? ;) 
>
> I guess it may give them an idea of what could have gone ... although,
> its not like we're internal country security or something!

:-) the "untrusted"

So we both see the potential high overhead and the potential for
lack of utilization. Why not ask them what the budget is for a
monitoring/alerting system that will make the logging useful,
and/or what percentage of a man-year is allocated to doing so?
It might make them think beyond just having the idea of "set up
a watcher on mass access to our proprietary info files".

It is all in understanding what is "the watcher" of the untrusted.
--
Roger
Anonymous
April 28, 2005 2:51:11 AM

Archived from groups: microsoft.public.win2000.security (More info?)

In article <MPG.1cd8cadd39a36324989688@news.microsoft.com>,
no@email.here says...
> In article <#vgMXgmSFHA.3444@tk2msftngp13.phx.gbl>, mvpNOSpam@asu.edu
> says...
> > Before you implement this, consider whether it will actually do
> > what you are after. Yes, you could use a group that contains the
> > accounts of concern (I would highly recommend not using Users
> > or equivalent broad groups, but a more narrow custom group)
> > and set a SACL to trigger event messages on all accesses.
> >
> > However, what I question is whether you would actually be able
> > to make use of the information, whether you would really monitor
> > the generated data and be able to detect "abnormal, suspect" access
> > patterns. Beyond that, I question whether even if you did monitor
> > the event log and detect such accesses within an actionable time
> > if then you could/would be able to do anything about it. One day
> > delay in taking action means the data travelled home that night.
> >
>
> Yes, its one of these top level 'wish list' items that just wont work in
> the real world - that was my thinking as well. It would put a general
> strain on things and hardly be utilised.
>
> I mean, what could you call the group for starters, the 'untrusted'? ;) 
>
> I guess it may give them an idea of what could have gone ... although,
> its not like we're internal country security or something!
>

ive since found gfi.com do a product that can lock down using groups all
removable storage items including usb sticks, cameras, cdrw, floppies,
etc ...

.... that would go some way to only giving access to removing data using
these devices but doesnt stop them simply printing it and putting it in
the briefcase!!
April 28, 2005 12:32:11 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Guys,

Have a look at Intrust software from quest. Its a nice tool for logs.

"jas0n" wrote:

> In article <MPG.1cd8cadd39a36324989688@news.microsoft.com>,
> no@email.here says...
> > In article <#vgMXgmSFHA.3444@tk2msftngp13.phx.gbl>, mvpNOSpam@asu.edu
> > says...
> > > Before you implement this, consider whether it will actually do
> > > what you are after. Yes, you could use a group that contains the
> > > accounts of concern (I would highly recommend not using Users
> > > or equivalent broad groups, but a more narrow custom group)
> > > and set a SACL to trigger event messages on all accesses.
> > >
> > > However, what I question is whether you would actually be able
> > > to make use of the information, whether you would really monitor
> > > the generated data and be able to detect "abnormal, suspect" access
> > > patterns. Beyond that, I question whether even if you did monitor
> > > the event log and detect such accesses within an actionable time
> > > if then you could/would be able to do anything about it. One day
> > > delay in taking action means the data travelled home that night.
> > >
> >
> > Yes, its one of these top level 'wish list' items that just wont work in
> > the real world - that was my thinking as well. It would put a general
> > strain on things and hardly be utilised.
> >
> > I mean, what could you call the group for starters, the 'untrusted'? ;) 
> >
> > I guess it may give them an idea of what could have gone ... although,
> > its not like we're internal country security or something!
> >
>
> ive since found gfi.com do a product that can lock down using groups all
> removable storage items including usb sticks, cameras, cdrw, floppies,
> etc ...
>
> .... that would go some way to only giving access to removing data using
> these devices but doesnt stop them simply printing it and putting it in
> the briefcase!!
>
>
!