AVSIG: Nailing Unauthorized Users wwswsigarch.jpg (7236 bytes)

✈ . . . . . . ✈ . . . . . ✈ . . . . ✈ . . . ✈ . . ✈ . ✈ . . ✈ . . . ✈ . . . . ✈ . . . . . ✈ . . . . . . Touch-and-Go to our Live Forum (This is a Read-only Archive of the 2004-2017 AVSIG Forum)


AVSIG Discussion Sections >> Hardware/Software

Pages: 1 | 2 | >> (show all)
Stephanie Belser
Top Gun APC


Reged: 04/29/04
Posts: 5929
Loc: KFAM
Nailing Unauthorized Users
      #128855 - 10/05/06 12:55 PM

I've got a problem cropping up on the job and I need the wisdom of the `sig.

One of the secretaries found evidence that someone has been using her computer after hours to go to web sites that, shall we say, are not exactly family friendly. I'd like to try and nail down when this is going on.

So, does anyone know how to set a computer (Windows `00 Pro) so that it keeps a log of when applications were launched? That's all I need, for now, for if I can determine times of use, that should tell me what I need for finding out whodunit.

Anything I do to this computer is going to be done with the conset of the primary user.

Thanks,
Stephanie


Post Extras: Print Post   Remind Me!   Notify Moderator  
Sue A. Critz (KELP)
Top Gun


Reged: 04/30/04
Posts: 3384
Loc: El Paso, TX
Re: Nailing Unauthorized Users [Re: Stephanie Belser]
      #128869 - 10/05/06 02:35 PM

Steph-

I think for most systems that's automatic. In other words, there is a log kept of activity on the computer.

You might want to look for a "Recent Applications" file, which should also show you when the application was launched.

I could tell you exactly how to do this in Mac OSX, but Windows I'm less clear on.

--------------------
-sue


Post Extras: Print Post   Remind Me!   Notify Moderator  
Mase Taylor
Top Gun


Reged: 04/29/04
Posts: 9446
Loc: SOCAL
Re: Nailing Unauthorized Users [Re: Stephanie Belser]
      #128870 - 10/05/06 02:35 PM

There must be a lot of different ways to check this, but here's one of the easiest. This assumes that IE is the browser. Open an IE window, click on TOOLS/INTERNET OPTIONS. Then find the area that says TEMPORARY INTERNET FILES, click on SETTINGS, find the area that says VIEW FILES and click on it. Assuming the offender hasn't cleared the browser history and/or cookies, this will show some files with times and dates, which will give you a good approximate starting point. Good luck.

--------------------
Fly The Airplane As Far Into The Crash As Possible. - Bob Hoover 1922-2016 R.I.P.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jerry Kurata [KLVK]
Top Gun


Reged: 05/02/04
Posts: 6395
Loc: Northern California
Re: Nailing Unauthorized Users [Re: Stephanie Belser]
      #128893 - 10/05/06 04:04 PM

Quote:


So, does anyone know how to set a computer (Windows `00 Pro) so that it keeps a log of when applications were launched? That's all I need, for now, for if I can determine times of use, that should tell me what I need for finding out whodunit.




I am not sure what you mean by Windows 00 Pro, 2000 Pro? If so, you can turn on logging of specific events and access to objects. This will cause a security entry to be written in the system event log each time the events you are interested in occurs on the specified items. In your case you might want to track logins and access to files (objects).

Here is a link on how to turn this on the logging.
http://support.microsoft.com/kb/300549

BTW, be careful with this type of logging. You can kill a machine's performance with this stuff. You might want to turn it on when the user goes home and turn it off when they come in the morning.

Have fun,

Jerry

Edited by Jerry Kurata [KLVK] (10/05/06 04:06 PM)


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Nailing Unauthorized Users [Re: Stephanie Belser]
      #128928 - 10/05/06 07:05 PM

Stephanie,

How 'bout the date/time stamps on the files in the browser cache? That's how
I nailed one perp. Most are too ignorant to wipe cache, history, or cookies.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Nailing Unauthorized Users [Re: Stephanie Belser]
      #128935 - 10/05/06 07:19 PM

First question I have is what login are they using? Since the secretary found it, it tends to suggest that it was her login. So why is she walking away from the machine for periods of time without locking it?

In Win2000 and WinXT you HAVE to login. You can set up a default login so the machines boots right to the desktop, but I only use that for special things, like patron computers at a library.

Unfortunately most of my knowledge is in securing computers, not catching someone. Although the time/date stamp on the cache objects sure sounds like a good connection between time/date and the actual infraction. (As opposed to someone saying they were just checking their web mail if you just look at IE launch times.)

Also, is there any monitoring going on in IT? I know our company has the ability to report what machine went to what site at what time.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Stephanie Belser-2
Top Gun APC


Reged: 04/28/04
Posts: 7139
Loc: KFAM
Nailing Unauthorized Users [Re: Ray Tackett]
      #128961 - 10/06/06 03:23 AM

Ray,

That's a good idea. As you can tell, I haven't thought about this at all.

Stephanie

--------------------
If you wish to make an apple pie from scratch, you must first invent the universe.-- Carl Sagan


Post Extras: Print Post   Remind Me!   Notify Moderator  
Stephanie Belser-2
Top Gun APC


Reged: 04/28/04
Posts: 7139
Loc: KFAM
Nailing Unauthorized Users [Re: Russell Holton]
      #128962 - 10/06/06 03:23 AM

Russell,

There are a couple of reasons why she wasn't locking her machine. We're a
smallish office and, after hours, the office itself is locked. The computers
are left on; backups are set to be run at night, as is Windows Update and
downloading AV signatures. The backup scheme is to backup the server to a
different work station each night.

She's locking it now.

Stephanie

--------------------
If you wish to make an apple pie from scratch, you must first invent the universe.-- Carl Sagan


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: Nailing Unauthorized Users [Re: Stephanie Belser-2]
      #128986 - 10/06/06 07:39 AM

Stephanie,

In addition to the other good suggestions here, another thought that works on XP, not sure if it does on Win2K but should, terminology may be different...

First off, change the passwords on *all* machines. Store 'em yourself securely, maybe try this tool also, Microsoft Baseline Security Analyzer 2.0.

Click the Desktop and select 'Properties', go to 'Screensaver', click the box that says something like 'On resume, password protect'. Also, set the screensaver 'Wait' time to a short interval. That can be annoying, but avoids unattended machines from being compromised. Here's a page that walks you through it with screenshots in a more formal way, but what I described just gits it dun <g>:

2K/XP Power

There should be a 'Power' button on the Screensaver screen. Click and set to 'Presentation'. That allows the password security with the screensaver to function and the boxes won't shutdown or go to standby, so as you can do your overnight backups.

Other pages that may be of help:

Google W2k group page

Microsoft info

Hth,

Edited by Jim Bell (10/06/06 07:47 AM)


Post Extras: Print Post   Remind Me!   Notify Moderator  
Jim Bell
AVSIG Member


Reged: 05/05/04
Posts: 14226
Re: Nailing Unauthorized Users [Re: Russell Holton]
      #128993 - 10/06/06 07:58 AM

Russell,

You wrote in part:

>>In Win2000 and WinXT you HAVE to login.<<

Assuming that was XP you were referencing. I've seen many folks just blow through the password screens, both user (and admin on Pro)...no requirement to set one when first installing, iIrc. I'll be able to confirm or deny that when fixing my Symantecly broken XPS box this weekend :-(


Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1 | 2 | >> (show all)



Extra information
0 registered and 6 anonymous users are browsing this forum.

Moderator:  Mike Overly 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Rating:
Topic views: 3748

Rate this topic

Jump to

Contact Us AVSIG

Powered by UBB.threads™ 6.5.5

Logout   Main Index    AVSIG Aviation Forum