How to monitor privileged user access?

  • Thread starter Thread starter Jim Touch
  • Start date Start date
J

Jim Touch

Hi all. Please excuse me if this issue has been covered before, I searched
but couldn't find any substantial answer.

I have 10-15 privileged users accessing my network from outside (through FW,
via VPN). They access the network and perform various tasks such as
maintaining my Exchange servers and so on. 2 weeks ago I had issues with
some AD objects that have been deleted from the AD. The user responsible for
AD management claimed he did not do it, and this has brought up my question:
How would you suggest that I monitor these users' actions? I have around 100
servers and I would like to know what they did.

Thanks,

Jim
 
I suggest you take a look at ObserveIT (www.observeit-sys.com). ObserveIT is
a visual auditing tool that enables the administrator to get a visual audit
trail of what has been done on the servers, who did it, and where else the
same action was performed. Anytime a priviliged user accesses the server, a
recording starts and captures anything that is done on the server.



Since the product is agnostic to protocol and software, it captures and
records ALL methods of remote access to the server, including RDP, VNC, TS,
Citrix, Netop, Damware and others. Besides capturing the screenshots,
ObserveIT also captures metadata of what is seen on the screen, and indexes
this in the DB.



By using the product you can easily view these recodings through a web
console. You can see things such as who touched a particular server at a
given time, what they did during their session, where else did they do the
same action, and even perform a free text search (i.e. "who deleted a file
called budget.xls?").



Take a look at their demo and download the product. If you need any
additional information please contact me either by using the above email. On
my site you can also read a review I wrote after beginning to work with the
product.



Daniel Petri

www.petri.co.il






"Jim Touch" <jimtou@gmail.com> wrote in message
news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...
> Hi all. Please excuse me if this issue has been covered before, I searched
> but couldn't find any substantial answer.
>
> I have 10-15 privileged users accessing my network from outside (through
> FW, via VPN). They access the network and perform various tasks such as
> maintaining my Exchange servers and so on. 2 weeks ago I had issues with
> some AD objects that have been deleted from the AD. The user responsible
> for AD management claimed he did not do it, and this has brought up my
> question: How would you suggest that I monitor these users' actions? I
> have around 100 servers and I would like to know what they did.
>
> Thanks,
>
> Jim
>
 
I assume that people with administrative acess can stop this remotely before
logging on to the server console? Which leaves us with the main option -
security logs


--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Daniel Petri" <daniel@petri.co.il.removeme> wrote in message
news:%23ug2nCCtIHA.5096@TK2MSFTNGP02.phx.gbl...
>I suggest you take a look at ObserveIT (www.observeit-sys.com). ObserveIT
>is a visual auditing tool that enables the administrator to get a visual
>audit trail of what has been done on the servers, who did it, and where
>else the same action was performed. Anytime a priviliged user accesses the
>server, a recording starts and captures anything that is done on the
>server.
>
>
>
> Since the product is agnostic to protocol and software, it captures and
> records ALL methods of remote access to the server, including RDP, VNC,
> TS, Citrix, Netop, Damware and others. Besides capturing the screenshots,
> ObserveIT also captures metadata of what is seen on the screen, and
> indexes this in the DB.
>
>
>
> By using the product you can easily view these recodings through a web
> console. You can see things such as who touched a particular server at a
> given time, what they did during their session, where else did they do the
> same action, and even perform a free text search (i.e. "who deleted a file
> called budget.xls?").
>
>
>
> Take a look at their demo and download the product. If you need any
> additional information please contact me either by using the above email.
> On my site you can also read a review I wrote after beginning to work with
> the product.
>
>
>
> Daniel Petri
>
> www.petri.co.il
>
>
>
>
>
>
> "Jim Touch" <jimtou@gmail.com> wrote in message
> news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...
>> Hi all. Please excuse me if this issue has been covered before, I
>> searched but couldn't find any substantial answer.
>>
>> I have 10-15 privileged users accessing my network from outside (through
>> FW, via VPN). They access the network and perform various tasks such as
>> maintaining my Exchange servers and so on. 2 weeks ago I had issues with
>> some AD objects that have been deleted from the AD. The user responsible
>> for AD management claimed he did not do it, and this has brought up my
>> question: How would you suggest that I monitor these users' actions? I
>> have around 100 servers and I would like to know what they did.
>>
>> Thanks,
>>
>> Jim
>>
>
>
 
Svyatoslav, thanks for bringing this up.

The ObserveIT agent is guarded by a watchdog process, and the other way
around. The moment you stop one, the other starts it again.

However, if you kill both at exactly the same time by using a script, the
security administrator will get an email alert from ObserveIT's application
server telling him that recording on server XYZ has stopped, and that they
should investigate the reason. Normally, this implies that someone has
tampered with the agent.

Remember that ObserveIT give you visual auditing, root cause analysis,
compliance and monitoring capabilites you did not have before. It is not
designed to PREVENT malicious priviliged users from causing harm.

As a side note, seeing you're an MVP, I'd like to point out that ObserveIT
now offers free NFR licenses for MVPs, email me if you'd like to get one.
Naturally this goes for any MVP reading this message.

Daniel Petri
www.petri.co.il


"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:%238TIeDNtIHA.4544@TK2MSFTNGP04.phx.gbl...
>I assume that people with administrative acess can stop this remotely
>before logging on to the server console? Which leaves us with the main
>option - security logs
>
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Daniel Petri" <daniel@petri.co.il.removeme> wrote in message
> news:%23ug2nCCtIHA.5096@TK2MSFTNGP02.phx.gbl...
>>I suggest you take a look at ObserveIT (www.observeit-sys.com). ObserveIT
>>is a visual auditing tool that enables the administrator to get a visual
>>audit trail of what has been done on the servers, who did it, and where
>>else the same action was performed. Anytime a priviliged user accesses the
>>server, a recording starts and captures anything that is done on the
>>server.
>>
>>
>>
>> Since the product is agnostic to protocol and software, it captures and
>> records ALL methods of remote access to the server, including RDP, VNC,
>> TS, Citrix, Netop, Damware and others. Besides capturing the screenshots,
>> ObserveIT also captures metadata of what is seen on the screen, and
>> indexes this in the DB.
>>
>>
>>
>> By using the product you can easily view these recodings through a web
>> console. You can see things such as who touched a particular server at a
>> given time, what they did during their session, where else did they do
>> the same action, and even perform a free text search (i.e. "who deleted a
>> file called budget.xls?").
>>
>>
>>
>> Take a look at their demo and download the product. If you need any
>> additional information please contact me either by using the above email.
>> On my site you can also read a review I wrote after beginning to work
>> with the product.
>>
>>
>>
>> Daniel Petri
>>
>> www.petri.co.il
>>
>>
>>
>>
>>
>>
>> "Jim Touch" <jimtou@gmail.com> wrote in message
>> news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...
>>> Hi all. Please excuse me if this issue has been covered before, I
>>> searched but couldn't find any substantial answer.
>>>
>>> I have 10-15 privileged users accessing my network from outside (through
>>> FW, via VPN). They access the network and perform various tasks such as
>>> maintaining my Exchange servers and so on. 2 weeks ago I had issues with
>>> some AD objects that have been deleted from the AD. The user responsible
>>> for AD management claimed he did not do it, and this has brought up my
>>> question: How would you suggest that I monitor these users' actions? I
>>> have around 100 servers and I would like to know what they did.
>>>
>>> Thanks,
>>>
>>> Jim
>>>
>>
>>
>
>
 
Needless to say, this should have been sent from my own laptop and not from
the client's one... (note to self - remember what account you're using
before hitting send...)

Daniel



"Jim Touch" <jimtou@gmail.com> wrote in message
news:uaXKWeNtIHA.1768@TK2MSFTNGP03.phx.gbl...
> Svyatoslav, thanks for bringing this up.
>
> The ObserveIT agent is guarded by a watchdog process, and the other way
> around. The moment you stop one, the other starts it again.
>
> However, if you kill both at exactly the same time by using a script, the
> security administrator will get an email alert from ObserveIT's
> application server telling him that recording on server XYZ has stopped,
> and that they should investigate the reason. Normally, this implies that
> someone has tampered with the agent.
>
> Remember that ObserveIT give you visual auditing, root cause analysis,
> compliance and monitoring capabilites you did not have before. It is not
> designed to PREVENT malicious priviliged users from causing harm.
>
> As a side note, seeing you're an MVP, I'd like to point out that ObserveIT
> now offers free NFR licenses for MVPs, email me if you'd like to get one.
> Naturally this goes for any MVP reading this message.
>
> Daniel Petri
> www.petri.co.il
>
>
> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
> news:%238TIeDNtIHA.4544@TK2MSFTNGP04.phx.gbl...
>>I assume that people with administrative acess can stop this remotely
>>before logging on to the server console? Which leaves us with the main
>>option - security logs
>>
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>> "Daniel Petri" <daniel@petri.co.il.removeme> wrote in message
>> news:%23ug2nCCtIHA.5096@TK2MSFTNGP02.phx.gbl...
>>>I suggest you take a look at ObserveIT (www.observeit-sys.com). ObserveIT
>>>is a visual auditing tool that enables the administrator to get a visual
>>>audit trail of what has been done on the servers, who did it, and where
>>>else the same action was performed. Anytime a priviliged user accesses
>>>the server, a recording starts and captures anything that is done on the
>>>server.
>>>
>>>
>>>
>>> Since the product is agnostic to protocol and software, it captures and
>>> records ALL methods of remote access to the server, including RDP, VNC,
>>> TS, Citrix, Netop, Damware and others. Besides capturing the
>>> screenshots, ObserveIT also captures metadata of what is seen on the
>>> screen, and indexes this in the DB.
>>>
>>>
>>>
>>> By using the product you can easily view these recodings through a web
>>> console. You can see things such as who touched a particular server at a
>>> given time, what they did during their session, where else did they do
>>> the same action, and even perform a free text search (i.e. "who deleted
>>> a file called budget.xls?").
>>>
>>>
>>>
>>> Take a look at their demo and download the product. If you need any
>>> additional information please contact me either by using the above
>>> email. On my site you can also read a review I wrote after beginning to
>>> work with the product.
>>>
>>>
>>>
>>> Daniel Petri
>>>
>>> www.petri.co.il
>>>
>>>
>>>
>>>
>>>
>>>
>>> "Jim Touch" <jimtou@gmail.com> wrote in message
>>> news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...
>>>> Hi all. Please excuse me if this issue has been covered before, I
>>>> searched but couldn't find any substantial answer.
>>>>
>>>> I have 10-15 privileged users accessing my network from outside
>>>> (through FW, via VPN). They access the network and perform various
>>>> tasks such as maintaining my Exchange servers and so on. 2 weeks ago I
>>>> had issues with some AD objects that have been deleted from the AD. The
>>>> user responsible for AD management claimed he did not do it, and this
>>>> has brought up my question: How would you suggest that I monitor these
>>>> users' actions? I have around 100 servers and I would like to know what
>>>> they did.
>>>>
>>>> Thanks,
>>>>
>>>> Jim
>>>>
>>>
>>>
>>
>>
>
 
LOL next time... intresting enough, and getting back to the original thread,
I must say that after seeing your demonstration I am impressed at what the
product can do. As I told you in our conversation, we'd like to take it for
a test ride and do a pilot for 5 servers, see what the impact will be on the
CPU, memory and network. I'd love to share my findings with you guys if
anyone's interested. Email me offline (my email is listed).

Thanks Daniel, sorry for the identity mixup... :-)

Jim


"Daniel Petri" <daniel@petri.co.il.removeme> wrote in message
news:OZV5yhNtIHA.4376@TK2MSFTNGP06.phx.gbl...
> Needless to say, this should have been sent from my own laptop and not
> from the client's one... (note to self - remember what account you're
> using before hitting send...)
>
> Daniel
 
Thanks Jim!

This one is especially for me:
http://blogs.microsoft.co.il/blogs/...-and-newsgroups-from-a-client-s-computer.aspx


Daniel Petri
www.petri.co.il


"Jim Touch" <jimtou@gmail.com> wrote in message
news:%23B6ILqNtIHA.2208@TK2MSFTNGP04.phx.gbl...
> LOL next time... intresting enough, and getting back to the original
> thread, I must say that after seeing your demonstration I am impressed at
> what the product can do. As I told you in our conversation, we'd like to
> take it for a test ride and do a pilot for 5 servers, see what the impact
> will be on the CPU, memory and network. I'd love to share my findings with
> you guys if anyone's interested. Email me offline (my email is listed).
>
> Thanks Daniel, sorry for the identity mixup... :-)
>
> Jim
>
 
Thanks Daniel. Sounds like a reasonable architecture. Perhaps I'll give it a
go

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"Daniel Petri" <daniel@petri.co.il.removeme> wrote in message
news:OZV5yhNtIHA.4376@TK2MSFTNGP06.phx.gbl...
> Needless to say, this should have been sent from my own laptop and not
> from the client's one... (note to self - remember what account you're
> using before hitting send...)
>
> Daniel
>
>
>
> "Jim Touch" <jimtou@gmail.com> wrote in message
> news:uaXKWeNtIHA.1768@TK2MSFTNGP03.phx.gbl...
>> Svyatoslav, thanks for bringing this up.
>>
>> The ObserveIT agent is guarded by a watchdog process, and the other way
>> around. The moment you stop one, the other starts it again.
>>
>> However, if you kill both at exactly the same time by using a script, the
>> security administrator will get an email alert from ObserveIT's
>> application server telling him that recording on server XYZ has stopped,
>> and that they should investigate the reason. Normally, this implies that
>> someone has tampered with the agent.
>>
>> Remember that ObserveIT give you visual auditing, root cause analysis,
>> compliance and monitoring capabilites you did not have before. It is not
>> designed to PREVENT malicious priviliged users from causing harm.
>>
>> As a side note, seeing you're an MVP, I'd like to point out that
>> ObserveIT now offers free NFR licenses for MVPs, email me if you'd like
>> to get one. Naturally this goes for any MVP reading this message.
>>
>> Daniel Petri
>> www.petri.co.il
>>
>>
>> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
>> news:%238TIeDNtIHA.4544@TK2MSFTNGP04.phx.gbl...
>>>I assume that people with administrative acess can stop this remotely
>>>before logging on to the server console? Which leaves us with the main
>>>option - security logs
>>>
>>>
>>> --
>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>> -= F1 is the key =-
>>>
>>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>>
>>> "Daniel Petri" <daniel@petri.co.il.removeme> wrote in message
>>> news:%23ug2nCCtIHA.5096@TK2MSFTNGP02.phx.gbl...
>>>>I suggest you take a look at ObserveIT (www.observeit-sys.com).
>>>>ObserveIT is a visual auditing tool that enables the administrator to
>>>>get a visual audit trail of what has been done on the servers, who did
>>>>it, and where else the same action was performed. Anytime a priviliged
>>>>user accesses the server, a recording starts and captures anything that
>>>>is done on the server.
>>>>
>>>>
>>>>
>>>> Since the product is agnostic to protocol and software, it captures and
>>>> records ALL methods of remote access to the server, including RDP, VNC,
>>>> TS, Citrix, Netop, Damware and others. Besides capturing the
>>>> screenshots, ObserveIT also captures metadata of what is seen on the
>>>> screen, and indexes this in the DB.
>>>>
>>>>
>>>>
>>>> By using the product you can easily view these recodings through a web
>>>> console. You can see things such as who touched a particular server at
>>>> a given time, what they did during their session, where else did they
>>>> do the same action, and even perform a free text search (i.e. "who
>>>> deleted a file called budget.xls?").
>>>>
>>>>
>>>>
>>>> Take a look at their demo and download the product. If you need any
>>>> additional information please contact me either by using the above
>>>> email. On my site you can also read a review I wrote after beginning to
>>>> work with the product.
>>>>
>>>>
>>>>
>>>> Daniel Petri
>>>>
>>>> www.petri.co.il
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> "Jim Touch" <jimtou@gmail.com> wrote in message
>>>> news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...
>>>>> Hi all. Please excuse me if this issue has been covered before, I
>>>>> searched but couldn't find any substantial answer.
>>>>>
>>>>> I have 10-15 privileged users accessing my network from outside
>>>>> (through FW, via VPN). They access the network and perform various
>>>>> tasks such as maintaining my Exchange servers and so on. 2 weeks ago I
>>>>> had issues with some AD objects that have been deleted from the AD.
>>>>> The user responsible for AD management claimed he did not do it, and
>>>>> this has brought up my question: How would you suggest that I monitor
>>>>> these users' actions? I have around 100 servers and I would like to
>>>>> know what they did.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jim
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
 
Good one Daniel! Love to read your stuff. As for ObserveIT, I've worked with
the product and have found it to have remarkable capabilities. The fact that
you can monitor what administrators and external vendors are doing is worth
it all (for us), and I must say that since then they are very cautious when
they touch any monitored server, knowing that their actions can later be
replayed and investigated in case something goes wrong.
--
>>>
It's my right to make mistakes. And my responsibility to correct them ...
>>>


"Daniel Petri" wrote:

> Thanks Jim!
>
> This one is especially for me:
> http://blogs.microsoft.co.il/blogs/...-and-newsgroups-from-a-client-s-computer.aspx
>
>
> Daniel Petri
> www.petri.co.il
>
>
> "Jim Touch" <jimtou@gmail.com> wrote in message
> news:%23B6ILqNtIHA.2208@TK2MSFTNGP04.phx.gbl...
> > LOL next time... intresting enough, and getting back to the original
> > thread, I must say that after seeing your demonstration I am impressed at
> > what the product can do. As I told you in our conversation, we'd like to
> > take it for a test ride and do a pilot for 5 servers, see what the impact
> > will be on the CPU, memory and network. I'd love to share my findings with
> > you guys if anyone's interested. Email me offline (my email is listed).
> >
> > Thanks Daniel, sorry for the identity mixup... :-)
> >
> > Jim
> >
>
>
>
 
Back
Top