Keylogger or other monitoring method for server

[A3C-ITMgr]

I need to monitor activity directly on the server. I have an authorized user
who is under suspicion by the owners. His web browsing activities are the
question and he is cleaning up the history when completed. Any suggestions
would be greatly appreciated.
--
ChasT

 

[Bogwitch]

A3C-ITMgr wrote:
> I need to monitor activity directly on the server. I have an authorized user
> who is under suspicion by the owners. His web browsing activities are the
> question and he is cleaning up the history when completed. Any suggestions
> would be greatly appreciated.

Hi Chas,

First things first. Speak to your company lawyer/ legal advisor. There
are differing legal situations from country to country and IANAL.

Is there a user agreement that the user has signed up to that allows for
monitoring/ logging?

Your post indicates that the user is using a server. Is this correct? Is
the user an administrator?

A little more information would allow a better informed answer to your
question.

At a minimum:

Do you have a legal right to monitor? Do you have any written and
agreed-to security policy? It is unlikely much action can be taken if
you do not.

What is your network infrastructure/ topology?

What type of user is under suspicion? A standard user? An administrator?
Technically competent?

The more info you can give, the better. Oh, and did I mention, get some
legal advice?

Bogwitch.

 

[A3C-ITMgr]

--
ChasT


"Bogwitch" wrote:

> A3C-ITMgr wrote:
> > I need to monitor activity directly on the server. I have an authorized user
> > who is under suspicion by the owners. His web browsing activities are the
> > question and he is cleaning up the history when completed. Any suggestions
> > would be greatly appreciated.
>
> Hi Chas,
>
> First things first. Speak to your company lawyer/ legal advisor. There
> are differing legal situations from country to country and IANAL.
>
> Is there a user agreement that the user has signed up to that allows for
> monitoring/ logging?
>
> Your post indicates that the user is using a server. Is this correct? Is
> the user an administrator?
>
> A little more information would allow a better informed answer to your
> question.
>
> At a minimum:
>
> Do you have a legal right to monitor? Do you have any written and
> agreed-to security policy? It is unlikely much action can be taken if
> you do not.
>
> What is your network infrastructure/ topology?
>
> What type of user is under suspicion? A standard user? An administrator?
> Technically competent?
>
> The more info you can give, the better. Oh, and did I mention, get some
> legal advice?
>
> Bogwitch.
>
The user is an Administrator, but not the primary Admin. I am the primary,
and my directive has come directly from the owner.

We are running a single server and Small Business Server 2003 which also
contains Exchange.

Our topology is ethernet via 3 switches and we also have a Netgear FVS318 as
our only firewall.

 

[Michael Robinson]

A3C-ITMgr wrote:
> I need to monitor activity directly on the server. I have an authorized user
> who is under suspicion by the owners. His web browsing activities are the
> question and he is cleaning up the history when completed. Any suggestions
> would be greatly appreciated.

One of the first things we learned in my UNIX admin class is that when
someone higher-up asks you to do something like this, make sure it's
legal, and get a signed statement from them with an independent witness.

You really should talk to a lawyer before you do anything.

--
http://weblog.mkronline.com/

 

[Bogwitch]

A3C-ITMgr wrote:

> The user is an Administrator, but not the primary Admin. I am the
> primary, and my directive has come directly from the owner.

No matter where your directive has come from, you need LEGAL authority
to monitor your users. There is an expectation of privacy unless it is
explicitly removed. However, IANAL?

> We are running a single server and Small Business Server 2003 which
> also contains Exchange.

> Our topology is ethernet via 3 switches and we also have a Netgear
> FVS318 as our only firewall.

It sounds as though you have no policy docs to allow monitoring of this
type. Seek professional legal advice.
Implement a written policy NOW! Explain to the company owners that they
are legally responsible for ALL their users actions UNTIL an acceptable
use policy is in place which will need to be agreed to by all the users,
including the owners.
Without such a policy, you may find any action you take could be
inadmissable if any court action is required and worse still, you could
find yourself in court as a defendant. Please tread carefully.

My experience is in the UK. You do not state way where you are from and
legislation varies from country to country. Having said that, most
countries will require legal authority to perform such actions.

Bogwitch

 

[A3C-ITMgr]

--
ChasT


"Bogwitch" wrote:

> A3C-ITMgr wrote:
>
> > The user is an Administrator, but not the primary Admin. I am the
> > primary, and my directive has come directly from the owner.
>
> No matter where your directive has come from, you need LEGAL authority
> to monitor your users. There is an expectation of privacy unless it is
> explicitly removed. However, IANAL?
>
> > We are running a single server and Small Business Server 2003 which
> > also contains Exchange.
>
> > Our topology is ethernet via 3 switches and we also have a Netgear
> > FVS318 as our only firewall.
>
> It sounds as though you have no policy docs to allow monitoring of this
> type. Seek professional legal advice.
> Implement a written policy NOW! Explain to the company owners that they
> are legally responsible for ALL their users actions UNTIL an acceptable
> use policy is in place which will need to be agreed to by all the users,
> including the owners.
> Without such a policy, you may find any action you take could be
> inadmissable if any court action is required and worse still, you could
> find yourself in court as a defendant. Please tread carefully.
>
> My experience is in the UK. You do not state way where you are from and
> legislation varies from country to country. Having said that, most
> countries will require legal authority to perform such actions.
>
> Bogwitch
>

Sorry for the omission. We are in the U.S. There is virtually no chance
that we will take legal action. We primarily want to prove to ourselves that
there are no reasons to worry about his activities. Most likely, he is
surfing the web and not doing anything illegal or immoral. Worse case, he
will be restricted from logging on to the server.

ChasT

 

[Bogwitch]

A3C-ITMgr wrote:

> Sorry for the omission. We are in the U.S. There is virtually no
> chance that we will take legal action. We primarily want to prove to
> ourselves that there are no reasons to worry about his activities.
> Most likely, he is surfing the web and not doing anything illegal or
> immoral. Worse case, he will be restricted from logging on to the
> server.

OK, I'm pretty sure in the US the same sort of rules apply. Without
permission from the users (signed security operating procedures, for
example) logging or monitoring would be illegal. (invasion of privacy)
Perhaps someone from the US could clarify?

Bottom line, get legal advice before deploying any technical measures.

Bogwitch.

 

[S. Pidgorny]

G'day:

"Bogwitch" <Bogwitch@reply.to.group.fake> wrote in message news:UvUHi.66150

> Bottom line, get legal advice before deploying any technical measures.

Not always. The company owns gateway infrastructure (the firewall, ISA
Server) and has no obligation to give employees any notification before
reviewing the logs that are available. That us the case in the US and most
other Western countries, with otable exception of Germany (where you mustn't
log Web access)

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *