Security Basics mailing list archives

RE: Remote OS Monitoring

From: "Ramsdell, Scott" <sramsdell () stinsonmoheck com>
Date: Wed, 24 May 2006 10:14:45 -0500

Jason,

If you have a few workstations you want to monitor, you may choose to do
the following:

1) disable the use of EFS through Group Policy
2) enable auditing
3) audit the use of the Windows attrib program

Local manipulations of the files and directories result in events being
written to the local event logs.  These logs will need to be monitored
for specific event IDs by hand or with a custom VB script, for instance.

Attrib is used to remove masking bits.

Alternatively, if you want to monitor a large number of machines, and
have the budget, you can use NetIQ or Prism Microsystems' suite of
products.

Each of the examples you want to detect will trigger an event.  The
events you can monitor for.  If you can remove administrative access
from the user(s) you are concerned with, you will have solved most of
your concerns.  Non-admins could still use EFS.

Best Regards,
Scott Ramsdell



-----Original Message-----
From: Jason T. Hallahan [mailto:jthallah () gmail com] 
Sent: Tuesday, May 23, 2006 12:01 PM
To: security-basics () securityfocus com
Subject: Remote OS Monitoring

Hello and good day,

Say you have a Windows environment where all clients reside on the same
workgroup, connect through a Domain Controller, and are administered by
Active Directory. Are there any tools or techniques out there that allow
for remote monitoring (somewhat if not totally
transparent) at any finer level of granularity? Specifically, being able
to tell things like:

*User of a box has implemented EFS (Encrypted File System) possible to
hide information.
*User of a box has hidden a directory or file using either Windows
functions or 3rd party software.
*User is unmasking and/or viewing hidden/protected system files.
*User is removing Read-Only protection on a directory or file.
*User is manipulating SYSTEM.DAT, NTUSER.DAT, INDEX.DAT or any other
registry entries or registry hives.

Does anyone know of such capabilities?

Thanks,
Jason
 
 
This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent 
to you in error, please contact the sender for instructions concerning return or destruction, and do not use or 
disclose the contents to others.

Current thread:

Remote OS Monitoring Jason T. Hallahan (May 23)
- <Possible follow-ups>
- RE: Remote OS Monitoring Ramsdell, Scott (May 24)