How to monitor privileged user access?

J

Jim Touch

Guest
Hi all. Please excuse me if this issue has been covered before, I searched

but couldn't find any substantial answer.

I have 10-15 privileged users accessing my network from outside (through FW,

via VPN). They access the network and perform various tasks such as

maintaining my Exchange servers and so on. 2 weeks ago I had issues with

some AD objects that have been deleted from the AD. The user responsible for

AD management claimed he did not do it, and this has brought up my question:

How would you suggest that I monitor these users' actions? I have around 100

servers and I would like to know what they did.

Thanks,

Jim

 
D

Daniel Petri

Guest
I suggest you take a look at ObserveIT (www.observeit-sys.com). ObserveIT is

a visual auditing tool that enables the administrator to get a visual audit

trail of what has been done on the servers, who did it, and where else the

same action was performed. Anytime a priviliged user accesses the server, a

recording starts and captures anything that is done on the server.

Since the product is agnostic to protocol and software, it captures and

records ALL methods of remote access to the server, including RDP, VNC, TS,

Citrix, Netop, Damware and others. Besides capturing the screenshots,

ObserveIT also captures metadata of what is seen on the screen, and indexes

this in the DB.

By using the product you can easily view these recodings through a web

console. You can see things such as who touched a particular server at a

given time, what they did during their session, where else did they do the

same action, and even perform a free text search (i.e. "who deleted a file

called budget.xls?").

Take a look at their demo and download the product. If you need any

additional information please contact me either by using the above email. On

my site you can also read a review I wrote after beginning to work with the

product.

Daniel Petri

www.petri.co.il

"Jim Touch" <jimtou@gmail.com> wrote in message

news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> Hi all. Please excuse me if this issue has been covered before, I searched

> but couldn't find any substantial answer.

>

> I have 10-15 privileged users accessing my network from outside (through

> FW, via VPN). They access the network and perform various tasks such as

> maintaining my Exchange servers and so on. 2 weeks ago I had issues with

> some AD objects that have been deleted from the AD. The user responsible

> for AD management claimed he did not do it, and this has brought up my

> question: How would you suggest that I monitor these users' actions? I

> have around 100 servers and I would like to know what they did.

>

> Thanks,

>

> Jim

> </span>

 
S

S. Pidgorny

Guest
I assume that people with administrative acess can stop this remotely before

logging on to the server console? Which leaves us with the main option -

security logs

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"Daniel Petri" <daniel@petri.co.il.removeme> wrote in message

news:%23ug2nCCtIHA.5096@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

>I suggest you take a look at ObserveIT (www.observeit-sys.com). ObserveIT

>is a visual auditing tool that enables the administrator to get a visual

>audit trail of what has been done on the servers, who did it, and where

>else the same action was performed. Anytime a priviliged user accesses the

>server, a recording starts and captures anything that is done on the

>server.

>

>

>

> Since the product is agnostic to protocol and software, it captures and

> records ALL methods of remote access to the server, including RDP, VNC,

> TS, Citrix, Netop, Damware and others. Besides capturing the screenshots,

> ObserveIT also captures metadata of what is seen on the screen, and

> indexes this in the DB.

>

>

>

> By using the product you can easily view these recodings through a web

> console. You can see things such as who touched a particular server at a

> given time, what they did during their session, where else did they do the

> same action, and even perform a free text search (i.e. "who deleted a file

> called budget.xls?").

>

>

>

> Take a look at their demo and download the product. If you need any

> additional information please contact me either by using the above email.

> On my site you can also read a review I wrote after beginning to work with

> the product.

>

>

>

> Daniel Petri

>

> www.petri.co.il

>

>

>

>

>

>

> "Jim Touch" <jimtou@gmail.com> wrote in message

> news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...<span style="color:green">

>> Hi all. Please excuse me if this issue has been covered before, I

>> searched but couldn't find any substantial answer.

>>

>> I have 10-15 privileged users accessing my network from outside (through

>> FW, via VPN). They access the network and perform various tasks such as

>> maintaining my Exchange servers and so on. 2 weeks ago I had issues with

>> some AD objects that have been deleted from the AD. The user responsible

>> for AD management claimed he did not do it, and this has brought up my

>> question: How would you suggest that I monitor these users' actions? I

>> have around 100 servers and I would like to know what they did.

>>

>> Thanks,

>>

>> Jim

>></span>

>

> </span>

 
J

Jim Touch

Guest
Svyatoslav, thanks for bringing this up.

The ObserveIT agent is guarded by a watchdog process, and the other way

around. The moment you stop one, the other starts it again.

However, if you kill both at exactly the same time by using a script, the

security administrator will get an email alert from ObserveIT's application

server telling him that recording on server XYZ has stopped, and that they

should investigate the reason. Normally, this implies that someone has

tampered with the agent.

Remember that ObserveIT give you visual auditing, root cause analysis,

compliance and monitoring capabilites you did not have before. It is not

designed to PREVENT malicious priviliged users from causing harm.

As a side note, seeing you're an MVP, I'd like to point out that ObserveIT

now offers free NFR licenses for MVPs, email me if you'd like to get one.

Naturally this goes for any MVP reading this message.

Daniel Petri

www.petri.co.il

"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message

news:%238TIeDNtIHA.4544@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

>I assume that people with administrative acess can stop this remotely

>before logging on to the server console? Which leaves us with the main

>option - security logs

>

>

> --

> Svyatoslav Pidgorny, MS MVP - Security, MCSE

> -= F1 is the key =-

>

> http://sl.mvps.org http://msmvps.com/blogs/sp

>

> "Daniel Petri" <daniel@petri.co.il.removeme> wrote in message

> news:%23ug2nCCtIHA.5096@TK2MSFTNGP02.phx.gbl...<span style="color:green">

>>I suggest you take a look at ObserveIT (www.observeit-sys.com). ObserveIT

>>is a visual auditing tool that enables the administrator to get a visual

>>audit trail of what has been done on the servers, who did it, and where

>>else the same action was performed. Anytime a priviliged user accesses the

>>server, a recording starts and captures anything that is done on the

>>server.

>>

>>

>>

>> Since the product is agnostic to protocol and software, it captures and

>> records ALL methods of remote access to the server, including RDP, VNC,

>> TS, Citrix, Netop, Damware and others. Besides capturing the screenshots,

>> ObserveIT also captures metadata of what is seen on the screen, and

>> indexes this in the DB.

>>

>>

>>

>> By using the product you can easily view these recodings through a web

>> console. You can see things such as who touched a particular server at a

>> given time, what they did during their session, where else did they do

>> the same action, and even perform a free text search (i.e. "who deleted a

>> file called budget.xls?").

>>

>>

>>

>> Take a look at their demo and download the product. If you need any

>> additional information please contact me either by using the above email.

>> On my site you can also read a review I wrote after beginning to work

>> with the product.

>>

>>

>>

>> Daniel Petri

>>

>> www.petri.co.il

>>

>>

>>

>>

>>

>>

>> "Jim Touch" <jimtou@gmail.com> wrote in message

>> news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...<span style="color:darkred">

>>> Hi all. Please excuse me if this issue has been covered before, I

>>> searched but couldn't find any substantial answer.

>>>

>>> I have 10-15 privileged users accessing my network from outside (through

>>> FW, via VPN). They access the network and perform various tasks such as

>>> maintaining my Exchange servers and so on. 2 weeks ago I had issues with

>>> some AD objects that have been deleted from the AD. The user responsible

>>> for AD management claimed he did not do it, and this has brought up my

>>> question: How would you suggest that I monitor these users' actions? I

>>> have around 100 servers and I would like to know what they did.

>>>

>>> Thanks,

>>>

>>> Jim

>>></span>

>>

>></span>

>

> </span>

 
D

Daniel Petri

Guest
Needless to say, this should have been sent from my own laptop and not from

the client's one... (note to self - remember what account you're using

before hitting send...)

Daniel

"Jim Touch" <jimtou@gmail.com> wrote in message

news:uaXKWeNtIHA.1768@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> Svyatoslav, thanks for bringing this up.

>

> The ObserveIT agent is guarded by a watchdog process, and the other way

> around. The moment you stop one, the other starts it again.

>

> However, if you kill both at exactly the same time by using a script, the

> security administrator will get an email alert from ObserveIT's

> application server telling him that recording on server XYZ has stopped,

> and that they should investigate the reason. Normally, this implies that

> someone has tampered with the agent.

>

> Remember that ObserveIT give you visual auditing, root cause analysis,

> compliance and monitoring capabilites you did not have before. It is not

> designed to PREVENT malicious priviliged users from causing harm.

>

> As a side note, seeing you're an MVP, I'd like to point out that ObserveIT

> now offers free NFR licenses for MVPs, email me if you'd like to get one.

> Naturally this goes for any MVP reading this message.

>

> Daniel Petri

> www.petri.co.il

>

>

> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message

> news:%238TIeDNtIHA.4544@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>>I assume that people with administrative acess can stop this remotely

>>before logging on to the server console? Which leaves us with the main

>>option - security logs

>>

>>

>> --

>> Svyatoslav Pidgorny, MS MVP - Security, MCSE

>> -= F1 is the key =-

>>

>> http://sl.mvps.org http://msmvps.com/blogs/sp

>>

>> "Daniel Petri" <daniel@petri.co.il.removeme> wrote in message

>> news:%23ug2nCCtIHA.5096@TK2MSFTNGP02.phx.gbl...<span style="color:darkred">

>>>I suggest you take a look at ObserveIT (www.observeit-sys.com). ObserveIT

>>>is a visual auditing tool that enables the administrator to get a visual

>>>audit trail of what has been done on the servers, who did it, and where

>>>else the same action was performed. Anytime a priviliged user accesses

>>>the server, a recording starts and captures anything that is done on the

>>>server.

>>>

>>>

>>>

>>> Since the product is agnostic to protocol and software, it captures and

>>> records ALL methods of remote access to the server, including RDP, VNC,

>>> TS, Citrix, Netop, Damware and others. Besides capturing the

>>> screenshots, ObserveIT also captures metadata of what is seen on the

>>> screen, and indexes this in the DB.

>>>

>>>

>>>

>>> By using the product you can easily view these recodings through a web

>>> console. You can see things such as who touched a particular server at a

>>> given time, what they did during their session, where else did they do

>>> the same action, and even perform a free text search (i.e. "who deleted

>>> a file called budget.xls?").

>>>

>>>

>>>

>>> Take a look at their demo and download the product. If you need any

>>> additional information please contact me either by using the above

>>> email. On my site you can also read a review I wrote after beginning to

>>> work with the product.

>>>

>>>

>>>

>>> Daniel Petri

>>>

>>> www.petri.co.il

>>>

>>>

>>>

>>>

>>>

>>>

>>> "Jim Touch" <jimtou@gmail.com> wrote in message

>>> news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...

>>>> Hi all. Please excuse me if this issue has been covered before, I

>>>> searched but couldn't find any substantial answer.

>>>>

>>>> I have 10-15 privileged users accessing my network from outside

>>>> (through FW, via VPN). They access the network and perform various

>>>> tasks such as maintaining my Exchange servers and so on. 2 weeks ago I

>>>> had issues with some AD objects that have been deleted from the AD. The

>>>> user responsible for AD management claimed he did not do it, and this

>>>> has brought up my question: How would you suggest that I monitor these

>>>> users' actions? I have around 100 servers and I would like to know what

>>>> they did.

>>>>

>>>> Thanks,

>>>>

>>>> Jim

>>>>

>>>

>>></span>

>>

>></span>

> </span>

 
J

Jim Touch

Guest
LOL next time... intresting enough, and getting back to the original thread,

I must say that after seeing your demonstration I am impressed at what the

product can do. As I told you in our conversation, we'd like to take it for

a test ride and do a pilot for 5 servers, see what the impact will be on the

CPU, memory and network. I'd love to share my findings with you guys if

anyone's interested. Email me offline (my email is listed).

Thanks Daniel, sorry for the identity mixup... :)

Jim

"Daniel Petri" <daniel@petri.co.il.removeme> wrote in message

news:OZV5yhNtIHA.4376@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> Needless to say, this should have been sent from my own laptop and not

> from the client's one... (note to self - remember what account you're

> using before hitting send...)

>

> Daniel</span>

 
D

Daniel Petri

Guest
Thanks Jim!

This one is especially for me:

http://blogs.microsoft.co.il/blogs/danielp...s-computer.aspx

Daniel Petri

www.petri.co.il

"Jim Touch" <jimtou@gmail.com> wrote in message

news:%23B6ILqNtIHA.2208@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

> LOL next time... intresting enough, and getting back to the original

> thread, I must say that after seeing your demonstration I am impressed at

> what the product can do. As I told you in our conversation, we'd like to

> take it for a test ride and do a pilot for 5 servers, see what the impact

> will be on the CPU, memory and network. I'd love to share my findings with

> you guys if anyone's interested. Email me offline (my email is listed).

>

> Thanks Daniel, sorry for the identity mixup... :)

>

> Jim

></span>

 
S

S. Pidgorny

Guest
Thanks Daniel. Sounds like a reasonable architecture. Perhaps I'll give it a

go

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

http://sl.mvps.org http://msmvps.com/blogs/sp

"Daniel Petri" <daniel@petri.co.il.removeme> wrote in message

news:OZV5yhNtIHA.4376@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> Needless to say, this should have been sent from my own laptop and not

> from the client's one... (note to self - remember what account you're

> using before hitting send...)

>

> Daniel

>

>

>

> "Jim Touch" <jimtou@gmail.com> wrote in message

> news:uaXKWeNtIHA.1768@TK2MSFTNGP03.phx.gbl...<span style="color:green">

>> Svyatoslav, thanks for bringing this up.

>>

>> The ObserveIT agent is guarded by a watchdog process, and the other way

>> around. The moment you stop one, the other starts it again.

>>

>> However, if you kill both at exactly the same time by using a script, the

>> security administrator will get an email alert from ObserveIT's

>> application server telling him that recording on server XYZ has stopped,

>> and that they should investigate the reason. Normally, this implies that

>> someone has tampered with the agent.

>>

>> Remember that ObserveIT give you visual auditing, root cause analysis,

>> compliance and monitoring capabilites you did not have before. It is not

>> designed to PREVENT malicious priviliged users from causing harm.

>>

>> As a side note, seeing you're an MVP, I'd like to point out that

>> ObserveIT now offers free NFR licenses for MVPs, email me if you'd like

>> to get one. Naturally this goes for any MVP reading this message.

>>

>> Daniel Petri

>> www.petri.co.il

>>

>>

>> "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message

>> news:%238TIeDNtIHA.4544@TK2MSFTNGP04.phx.gbl...<span style="color:darkred">

>>>I assume that people with administrative acess can stop this remotely

>>>before logging on to the server console? Which leaves us with the main

>>>option - security logs

>>>

>>>

>>> --

>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE

>>> -= F1 is the key =-

>>>

>>> http://sl.mvps.org http://msmvps.com/blogs/sp

>>>

>>> "Daniel Petri" <daniel@petri.co.il.removeme> wrote in message

>>> news:%23ug2nCCtIHA.5096@TK2MSFTNGP02.phx.gbl...

>>>>I suggest you take a look at ObserveIT (www.observeit-sys.com).

>>>>ObserveIT is a visual auditing tool that enables the administrator to

>>>>get a visual audit trail of what has been done on the servers, who did

>>>>it, and where else the same action was performed. Anytime a priviliged

>>>>user accesses the server, a recording starts and captures anything that

>>>>is done on the server.

>>>>

>>>>

>>>>

>>>> Since the product is agnostic to protocol and software, it captures and

>>>> records ALL methods of remote access to the server, including RDP, VNC,

>>>> TS, Citrix, Netop, Damware and others. Besides capturing the

>>>> screenshots, ObserveIT also captures metadata of what is seen on the

>>>> screen, and indexes this in the DB.

>>>>

>>>>

>>>>

>>>> By using the product you can easily view these recodings through a web

>>>> console. You can see things such as who touched a particular server at

>>>> a given time, what they did during their session, where else did they

>>>> do the same action, and even perform a free text search (i.e. "who

>>>> deleted a file called budget.xls?").

>>>>

>>>>

>>>>

>>>> Take a look at their demo and download the product. If you need any

>>>> additional information please contact me either by using the above

>>>> email. On my site you can also read a review I wrote after beginning to

>>>> work with the product.

>>>>

>>>>

>>>>

>>>> Daniel Petri

>>>>

>>>> www.petri.co.il

>>>>

>>>>

>>>>

>>>>

>>>>

>>>>

>>>> "Jim Touch" <jimtou@gmail.com> wrote in message

>>>> news:O0kAL6zsIHA.4492@TK2MSFTNGP02.phx.gbl...

>>>>> Hi all. Please excuse me if this issue has been covered before, I

>>>>> searched but couldn't find any substantial answer.

>>>>>

>>>>> I have 10-15 privileged users accessing my network from outside

>>>>> (through FW, via VPN). They access the network and perform various

>>>>> tasks such as maintaining my Exchange servers and so on. 2 weeks ago I

>>>>> had issues with some AD objects that have been deleted from the AD.

>>>>> The user responsible for AD management claimed he did not do it, and

>>>>> this has brought up my question: How would you suggest that I monitor

>>>>> these users' actions? I have around 100 servers and I would like to

>>>>> know what they did.

>>>>>

>>>>> Thanks,

>>>>>

>>>>> Jim

>>>>>

>>>>

>>>>

>>>

>>></span>

>></span>

>

> </span>

 
Ã

סורין סולומו

Guest
Good one Daniel! Love to read your stuff. As for ObserveIT, I've worked with

the product and have found it to have remarkable capabilities. The fact that

you can monitor what administrators and external vendors are doing is worth

it all (for us), and I must say that since then they are very cautious when

they touch any monitored server, knowing that their actions can later be

replayed and investigated in case something goes wrong.

-- <span style="color:blue"><span style="color:green"><span style="color:darkred">

>>></span></span></span>

It's my right to make mistakes. And my responsibility to correct them ...<span style="color:blue"><span style="color:green"><span style="color:darkred">

>>></span></span></span>

"Daniel Petri" wrote:

<span style="color:blue">

> Thanks Jim!

>

> This one is especially for me:

> http://blogs.microsoft.co.il/blogs/danielp...s-computer.aspx

>

>

> Daniel Petri

> www.petri.co.il

>

>

> "Jim Touch" <jimtou@gmail.com> wrote in message

> news:%23B6ILqNtIHA.2208@TK2MSFTNGP04.phx.gbl...<span style="color:green">

> > LOL next time... intresting enough, and getting back to the original

> > thread, I must say that after seeing your demonstration I am impressed at

> > what the product can do. As I told you in our conversation, we'd like to

> > take it for a test ride and do a pilot for 5 servers, see what the impact

> > will be on the CPU, memory and network. I'd love to share my findings with

> > you guys if anyone's interested. Email me offline (my email is listed).

> >

> > Thanks Daniel, sorry for the identity mixup... :)

> >

> > Jim

> ></span>

>

>

> </span>

 
You must log in or register to reply here.
Top Bottom