|
Posted by S. Pidgorny on May 14, 2008, 5:57 am
If you were Registered and logged in, you could reply and use other advanced thread options
go
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
> Needless to say, this should have been sent from my own laptop and not
> from the client's one... (note to self - remember what account you're
> using before hitting send...)
>
> Daniel
>
>
>
>> Svyatoslav, thanks for bringing this up.
>>
>> The ObserveIT agent is guarded by a watchdog process, and the other way
>> around. The moment you stop one, the other starts it again.
>>
>> However, if you kill both at exactly the same time by using a script, the
>> security administrator will get an email alert from ObserveIT's
>> application server telling him that recording on server XYZ has stopped,
>> and that they should investigate the reason. Normally, this implies that
>> someone has tampered with the agent.
>>
>> Remember that ObserveIT give you visual auditing, root cause analysis,
>> compliance and monitoring capabilites you did not have before. It is not
>> designed to PREVENT malicious priviliged users from causing harm.
>>
>> As a side note, seeing you're an MVP, I'd like to point out that
>> ObserveIT now offers free NFR licenses for MVPs, email me if you'd like
>> to get one. Naturally this goes for any MVP reading this message.
>>
>> Daniel Petri
>> www.petri.co.il
>>
>>
>>>I assume that people with administrative acess can stop this remotely
>>>before logging on to the server console? Which leaves us with the main
>>>option - security logs
>>>
>>>
>>> --
>>> Svyatoslav Pidgorny, MS MVP - Security, MCSE
>>> -= F1 is the key =-
>>>
>>> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>>>
>>>>I suggest you take a look at ObserveIT (www.observeit-sys.com).
>>>>ObserveIT is a visual auditing tool that enables the administrator to
>>>>get a visual audit trail of what has been done on the servers, who did
>>>>it, and where else the same action was performed. Anytime a priviliged
>>>>user accesses the server, a recording starts and captures anything that
>>>>is done on the server.
>>>>
>>>>
>>>>
>>>> Since the product is agnostic to protocol and software, it captures and
>>>> records ALL methods of remote access to the server, including RDP, VNC,
>>>> TS, Citrix, Netop, Damware and others. Besides capturing the
>>>> screenshots, ObserveIT also captures metadata of what is seen on the
>>>> screen, and indexes this in the DB.
>>>>
>>>>
>>>>
>>>> By using the product you can easily view these recodings through a web
>>>> console. You can see things such as who touched a particular server at
>>>> a given time, what they did during their session, where else did they
>>>> do the same action, and even perform a free text search (i.e. "who
>>>> deleted a file called budget.xls?").
>>>>
>>>>
>>>>
>>>> Take a look at their demo and download the product. If you need any
>>>> additional information please contact me either by using the above
>>>> email. On my site you can also read a review I wrote after beginning to
>>>> work with the product.
>>>>
>>>>
>>>>
>>>> Daniel Petri
>>>>
>>>> www.petri.co.il
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Hi all. Please excuse me if this issue has been covered before, I
>>>>> searched but couldn't find any substantial answer.
>>>>>
>>>>> I have 10-15 privileged users accessing my network from outside
>>>>> (through FW, via VPN). They access the network and perform various
>>>>> tasks such as maintaining my Exchange servers and so on. 2 weeks ago I
>>>>> had issues with some AD objects that have been deleted from the AD.
>>>>> The user responsible for AD management claimed he did not do it, and
>>>>> this has brought up my question: How would you suggest that I monitor
>>>>> these users' actions? I have around 100 servers and I would like to
>>>>> know what they did.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jim
>>>>>
>>>>
>>>>
>>>
>>>
>>
>
>
| 
XML site map