|
Posted by Daniel Petri on May 13, 2008, 5:05 am
If you were Registered and logged in, you could reply and use other advanced thread options
the client's one... (note to self - remember what account you're using
before hitting send...)
Daniel
> Svyatoslav, thanks for bringing this up.
>
> The ObserveIT agent is guarded by a watchdog process, and the other way
> around. The moment you stop one, the other starts it again.
>
> However, if you kill both at exactly the same time by using a script, the
> security administrator will get an email alert from ObserveIT's
> application server telling him that recording on server XYZ has stopped,
> and that they should investigate the reason. Normally, this implies that
> someone has tampered with the agent.
>
> Remember that ObserveIT give you visual auditing, root cause analysis,
> compliance and monitoring capabilites you did not have before. It is not
> designed to PREVENT malicious priviliged users from causing harm.
>
> As a side note, seeing you're an MVP, I'd like to point out that ObserveIT
> now offers free NFR licenses for MVPs, email me if you'd like to get one.
> Naturally this goes for any MVP reading this message.
>
> Daniel Petri
> www.petri.co.il
>
>
>>I assume that people with administrative acess can stop this remotely
>>before logging on to the server console? Which leaves us with the main
>>option - security logs
>>
>>
>> --
>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>> -= F1 is the key =-
>>
>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>
>>>I suggest you take a look at ObserveIT (www.observeit-sys.com). ObserveIT
>>>is a visual auditing tool that enables the administrator to get a visual
>>>audit trail of what has been done on the servers, who did it, and where
>>>else the same action was performed. Anytime a priviliged user accesses
>>>the server, a recording starts and captures anything that is done on the
>>>server.
>>>
>>>
>>>
>>> Since the product is agnostic to protocol and software, it captures and
>>> records ALL methods of remote access to the server, including RDP, VNC,
>>> TS, Citrix, Netop, Damware and others. Besides capturing the
>>> screenshots, ObserveIT also captures metadata of what is seen on the
>>> screen, and indexes this in the DB.
>>>
>>>
>>>
>>> By using the product you can easily view these recodings through a web
>>> console. You can see things such as who touched a particular server at a
>>> given time, what they did during their session, where else did they do
>>> the same action, and even perform a free text search (i.e. "who deleted
>>> a file called budget.xls?").
>>>
>>>
>>>
>>> Take a look at their demo and download the product. If you need any
>>> additional information please contact me either by using the above
>>> email. On my site you can also read a review I wrote after beginning to
>>> work with the product.
>>>
>>>
>>>
>>> Daniel Petri
>>>
>>> www.petri.co.il
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Hi all. Please excuse me if this issue has been covered before, I
>>>> searched but couldn't find any substantial answer.
>>>>
>>>> I have 10-15 privileged users accessing my network from outside
>>>> (through FW, via VPN). They access the network and perform various
>>>> tasks such as maintaining my Exchange servers and so on. 2 weeks ago I
>>>> had issues with some AD objects that have been deleted from the AD. The
>>>> user responsible for AD management claimed he did not do it, and this
>>>> has brought up my question: How would you suggest that I monitor these
>>>> users' actions? I have around 100 servers and I would like to know what
>>>> they did.
>>>>
>>>> Thanks,
>>>>
>>>> Jim
>>>>
>>>
>>>
>>
>>
>
| 
XML site map