logging data accessed by user

J

jas0n

We want to log what data is being accessed by each user. Its been
prompted by the large scale use of usb memory sticks. (We decided the
benefits of them for our traveling laptop folk outweighed the downsides)

Im thinking we cant log whats being copied to memory sticks in
particular, but we should be able to log which user is accessing which
files and when.

Its a single w2k native domain, spread over many sites.

This would give us an idea if large numbers of files the user wouldnt
normally access at once are accessed. This would indicate they were
being copied somewhere.

What would be best to use for this?

..... we already lock everything down with groups and access lists, etc -
our management have the idea when users decide they are leaving for the
competition they are copying all the relevant data they have access to
and taking it with them.
 
R

Roger Abell

Before you implement this, consider whether it will actually do
what you are after. Yes, you could use a group that contains the
accounts of concern (I would highly recommend not using Users
or equivalent broad groups, but a more narrow custom group)
and set a SACL to trigger event messages on all accesses.

However, what I question is whether you would actually be able
to make use of the information, whether you would really monitor
the generated data and be able to detect "abnormal, suspect" access
patterns. Beyond that, I question whether even if you did monitor
the event log and detect such accesses within an actionable time
if then you could/would be able to do anything about it. One day
delay in taking action means the data travelled home that night.
 
J

jas0n

Before you implement this, consider whether it will actually do
what you are after. Yes, you could use a group that contains the
accounts of concern (I would highly recommend not using Users
or equivalent broad groups, but a more narrow custom group)
and set a SACL to trigger event messages on all accesses.

However, what I question is whether you would actually be able
to make use of the information, whether you would really monitor
the generated data and be able to detect "abnormal, suspect" access
patterns. Beyond that, I question whether even if you did monitor
the event log and detect such accesses within an actionable time
if then you could/would be able to do anything about it. One day
delay in taking action means the data travelled home that night.
Click to expand...

Yes, its one of these top level 'wish list' items that just wont work in
the real world - that was my thinking as well. It would put a general
strain on things and hardly be utilised.

I mean, what could you call the group for starters, the 'untrusted'? ;)

I guess it may give them an idea of what could have gone ... although,
its not like we're internal country security or something!
 
R

Roger Abell

jas0n said:
Yes, its one of these top level 'wish list' items that just wont work in
the real world - that was my thinking as well. It would put a general
strain on things and hardly be utilised.

I mean, what could you call the group for starters, the 'untrusted'? ;)

I guess it may give them an idea of what could have gone ... although,
its not like we're internal country security or something!
Click to expand...

:) the "untrusted"

So we both see the potential high overhead and the potential for
lack of utilization. Why not ask them what the budget is for a
monitoring/alerting system that will make the logging useful,
and/or what percentage of a man-year is allocated to doing so?
It might make them think beyond just having the idea of "set up
a watcher on mass access to our proprietary info files".

It is all in understanding what is "the watcher" of the untrusted.
 
J

jas0n

Yes, its one of these top level 'wish list' items that just wont work in
the real world - that was my thinking as well. It would put a general
strain on things and hardly be utilised.

I mean, what could you call the group for starters, the 'untrusted'? ;)

I guess it may give them an idea of what could have gone ... although,
its not like we're internal country security or something!
Click to expand...

ive since found gfi.com do a product that can lock down using groups all
removable storage items including usb sticks, cameras, cdrw, floppies,
etc ...

.... that would go some way to only giving access to removing data using
these devices but doesnt stop them simply printing it and putting it in
the briefcase!!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Windows XP XP Pro log in /shut down and user problems 6
Security update regarding your Ubisoft account - please create a new password 5
Cryptic Studios Hacked? 0
User can't access the server 1
User Switching Issues 4
KB835732 uploaded and installed through KB835732 flaw 3
IE hosted user control dies when accessed over ssl 2
Highlight Records That Are In Use By Another User 1

Top