Jump to content

Server Activity

Guest John W

By Guest John W
in Windows 2003 Server

 Share

Recommended Posts

Guest John W

Guest John W

Posted
Posted

I'm looking for some suggestions on how to monitor what a user is doing

while they are logged into our server. We have a user with administrative

rights that logs into our server and helps us when we have problems. I've

noticed some some changes and errors that have given us reason to think

there might be something more going on that what he's paid to do. Is there

anything we could use to monitor and log what this user is doing? It's

always a remote connection so something like a keylogger would not work. I

appreciate any suggestions.

 

Thanks!

  • Replies 7
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Server Activity

 

John W <jw2554@yahoo.com> wrote:

> I'm looking for some suggestions on how to monitor what a user is

> doing while they are logged into our server. We have a user with

> administrative rights that logs into our server and helps us when we

> have problems. I've noticed some some changes and errors that have

> given us reason to think there might be something more going on that

> what he's paid to do. Is there anything we could use to monitor and

> log what this user is doing? It's always a remote connection so

> something like a keylogger would not work. I appreciate any

> suggestions.

> Thanks!

 

Well, you could turn up auditing, but that may not do enough. All you could

use *is* something like a keylogger.

 

Seriously, if you have reason to distrust this user, take away the admin

rights. You should actually consider delegating permissions (I'm presuming

you use AD here) and installing a taskpad on this user's PC, so he doesn't

need to log into the server at all. You can give him just the rights he

needs.

Guest John W

Guest John W

Posted
Posted

Re: Server Activity

 

Part of where our problem lies is that we don't have an in-house IT person.

The person we suspect is the one who set up our server and all the

permissions. And yes we do use an AD. We're probably going to hire an

outside person to come in and fix the permissions but we really would like

to know what he's up to first. When you say turn up the auditing what

exactly do you mean? I'm a little bit familiar with SBS 2k3 but not enough

to be modifying group policies or things like that.

 

Thanks for the advice!

 

"> Well, you could turn up auditing, but that may not do enough. All you

could

> use *is* something like a keylogger.

>

> Seriously, if you have reason to distrust this user, take away the admin

> rights. You should actually consider delegating permissions (I'm presuming

> you use AD here) and installing a taskpad on this user's PC, so he doesn't

> need to log into the server at all. You can give him just the rights he

> needs.

>

>

>

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Server Activity

 

John W <jw2554@yahoo.com> wrote:

> Part of where our problem lies is that we don't have an in-house IT

> person. The person we suspect is the one who set up our server and

> all the permissions. And yes we do use an AD.

 

Ah, yes, if you're using SBS you would have to be. Always remember to

include full detail info when you post in server groups, re versions/SP

levels etc. SBS questions are best posted in

microsoft.public.windows.server.sbs, for future reference.

> We're probably going

> to hire an outside person to come in and fix the permissions but we

> really would like to know what he's up to first.

 

Note - you haven't mentioned any of the specific issues that make you

suspicious, and they may in fact be nothing to worry about.

 

That said, I appreciate the bind you're in, but there's no real way around

this if you don't know how to manage your own server already - I suggest

you have an outside person come in and *peform* an detailed server/network

audit for you. You can have this person work *with* your IT person or not

(you are always entitled to get an outsider for a second opinion; it's your

network), but let the other consultant know your concerns

> When you say turn

> up the auditing what exactly do you mean?

 

http://support.microsoft.com/kb/814595 for basics...

> I'm a little bit familiar

> with SBS 2k3 but not enough to be modifying group policies

 

I generally recommend that you create your own and link them at the correct

OU level to do what you want.

> or things

> like that.

 

Then I suggest you not be the one to do this - remember that what you do

will be quite visible to your current admin.

 

 

>

> Thanks for the advice!

>

> "> Well, you could turn up auditing, but that may not do enough. All

> you could

>> use *is* something like a keylogger.

>>

>> Seriously, if you have reason to distrust this user, take away the

>> admin rights. You should actually consider delegating permissions

>> (I'm presuming you use AD here) and installing a taskpad on this

>> user's PC, so he doesn't need to log into the server at all. You can

>> give him just the rights he needs.

Guest John W

Guest John W

Posted
Posted

Re: Server Activity

 

Thanks for the info. I know I'm not fully qualified for this but we have

nobody in our office who is. I was hoping there might be some simple

monitoring tool that we could use to figure out what's going on. As for the

issues that are making us suspicious....he has no real need to be logged

into our server but for some reason he's been connected every night while

we're closed. I can tell because he keeps rebooting the machine. There are

also a LOT of new errors showing up. We've started getting a message that

we're about to run out of licenses (we haven't added anyone new). Also, all

of our remote users connect through terminal services. I've noticed him

accessing network drives while TS doesn't show him connected - to me that

means he's created himself another way into the server.

 

"Lanwench [MVP - Exchange]"

<lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in message

news:etedxu3LIHA.5160@TK2MSFTNGP05.phx.gbl...

> John W <jw2554@yahoo.com> wrote:

>> Part of where our problem lies is that we don't have an in-house IT

>> person. The person we suspect is the one who set up our server and

>> all the permissions. And yes we do use an AD.

>

> Ah, yes, if you're using SBS you would have to be. Always remember to

> include full detail info when you post in server groups, re versions/SP

> levels etc. SBS questions are best posted in

> microsoft.public.windows.server.sbs, for future reference.

>

>> We're probably going

>> to hire an outside person to come in and fix the permissions but we

>> really would like to know what he's up to first.

>

> Note - you haven't mentioned any of the specific issues that make you

> suspicious, and they may in fact be nothing to worry about.

>

> That said, I appreciate the bind you're in, but there's no real way around

> this if you don't know how to manage your own server already - I suggest

> you have an outside person come in and *peform* an detailed server/network

> audit for you. You can have this person work *with* your IT person or not

> (you are always entitled to get an outsider for a second opinion; it's

> your network), but let the other consultant know your concerns

>

>> When you say turn

>> up the auditing what exactly do you mean?

>

> http://support.microsoft.com/kb/814595 for basics...

>

>> I'm a little bit familiar

>> with SBS 2k3 but not enough to be modifying group policies

>

> I generally recommend that you create your own and link them at the

> correct OU level to do what you want.

>

>> or things

>> like that.

>

> Then I suggest you not be the one to do this - remember that what you do

> will be quite visible to your current admin.

>

>

>

>>

>> Thanks for the advice!

>>

>> "> Well, you could turn up auditing, but that may not do enough. All

>> you could

>>> use *is* something like a keylogger.

>>>

>>> Seriously, if you have reason to distrust this user, take away the

>>> admin rights. You should actually consider delegating permissions

>>> (I'm presuming you use AD here) and installing a taskpad on this

>>> user's PC, so he doesn't need to log into the server at all. You can

>>> give him just the rights he needs.

>

>

>

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Server Activity

 

John W <jw2554@yahoo.com> wrote:

> Thanks for the info. I know I'm not fully qualified for this but we

> have nobody in our office who is. I was hoping there might be some

> simple monitoring tool that we could use to figure out what's going

> on.

 

No, not really.

> As for the issues that are making us suspicious....he has no

> real need to be logged into our server but for some reason he's been

> connected every night while we're closed. I can tell because he

> keeps rebooting the machine.

 

Every night? How do you know it's him, and not a hardware failure, or a

service, or scheduled task, etc?

> There are also a LOT of new errors

> showing up. We've started getting a message that we're about to run

> out of licenses (we haven't added anyone new).

 

Pertaining to your SBS CALs? How are you licensed now? Per user, or per

device? I have to say I can't see how this could be construed as nefarious

activity. You just may not have enough licenses. SBS doesn't really log your

licenses, it just displays the maximum it's detected in use. You need one

per device (wherever it is....) or per user (wherever the users are).

> Also, all of our

> remote users connect through terminal services. I've noticed him

 

How have you noticed this?

> accessing network drives while TS doesn't show him connected - to me

> that means he's created himself another way into the server.

 

Could be using VPN (PPTP VPN is built in to SBS).

 

I have to tell you, nothing here is sounding terribly dire to me...unless

you think his bills are being padded.

What has he said when you've asked him about this? I have to imagine someone

has talked to him already - if not, I suggest you do. No sense in jumping

the gun.

 

 

>

> "Lanwench [MVP - Exchange]"

> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in

> message news:etedxu3LIHA.5160@TK2MSFTNGP05.phx.gbl...

>> John W <jw2554@yahoo.com> wrote:

>>> Part of where our problem lies is that we don't have an in-house IT

>>> person. The person we suspect is the one who set up our server and

>>> all the permissions. And yes we do use an AD.

>>

>> Ah, yes, if you're using SBS you would have to be. Always remember to

>> include full detail info when you post in server groups, re

>> versions/SP levels etc. SBS questions are best posted in

>> microsoft.public.windows.server.sbs, for future reference.

>>

>>> We're probably going

>>> to hire an outside person to come in and fix the permissions but we

>>> really would like to know what he's up to first.

>>

>> Note - you haven't mentioned any of the specific issues that make you

>> suspicious, and they may in fact be nothing to worry about.

>>

>> That said, I appreciate the bind you're in, but there's no real way

>> around this if you don't know how to manage your own server already - I

>> suggest you have an outside person come in and *peform* an

>> detailed server/network audit for you. You can have this person work

>> *with* your IT person or not (you are always entitled to get an

>> outsider for a second opinion; it's your network), but let the other

>> consultant know your concerns

>>> When you say turn

>>> up the auditing what exactly do you mean?

>>

>> http://support.microsoft.com/kb/814595 for basics...

>>

>>> I'm a little bit familiar

>>> with SBS 2k3 but not enough to be modifying group policies

>>

>> I generally recommend that you create your own and link them at the

>> correct OU level to do what you want.

>>

>>> or things

>>> like that.

>>

>> Then I suggest you not be the one to do this - remember that what

>> you do will be quite visible to your current admin.

>>

>>

>>

>>>

>>> Thanks for the advice!

>>>

>>> "> Well, you could turn up auditing, but that may not do enough. All

>>> you could

>>>> use *is* something like a keylogger.

>>>>

>>>> Seriously, if you have reason to distrust this user, take away the

>>>> admin rights. You should actually consider delegating permissions

>>>> (I'm presuming you use AD here) and installing a taskpad on this

>>>> user's PC, so he doesn't need to log into the server at all. You

>>>> can give him just the rights he needs.

Guest John W

Guest John W

Posted
Posted

Re: Server Activity

 

>> As for the issues that are making us suspicious....he has no

>> real need to be logged into our server but for some reason he's been

>> connected every night while we're closed. I can tell because he

>> keeps rebooting the machine.

>

> Every night? How do you know it's him, and not a hardware failure, or a

> service, or scheduled task, etc?

 

We know it's him because when he does the restart he puts his initials in

the comments for the restart.

>

>> There are also a LOT of new errors

>> showing up. We've started getting a message that we're about to run

>> out of licenses (we haven't added anyone new).

>

> Pertaining to your SBS CALs? How are you licensed now? Per user, or per

> device? I have to say I can't see how this could be construed as nefarious

> activity. You just may not have enough licenses. SBS doesn't really log

> your licenses, it just displays the maximum it's detected in use. You need

> one per device (wherever it is....) or per user (wherever the users are).

 

We are currently licensed per device. We have more licenses than we need

and have not added any new equipment or users for quite some time.

>

>> Also, all of our

>> remote users connect through terminal services. I've noticed him

>

> How have you noticed this?

 

I have been using a software (AMS Monitoring System) that logs who is

accessing what network shares. It will show the user, the system they're

connecting from and what folders their using.

>

>> accessing network drives while TS doesn't show him connected - to me

>> that means he's created himself another way into the server.

>

> Could be using VPN (PPTP VPN is built in to SBS).

 

I agree he could just be using VPN but to us it still comes down to why. He

has no reason to be in our system.

>

> I have to tell you, nothing here is sounding terribly dire to me...unless

> you think his bills are being padded.

> What has he said when you've asked him about this? I have to imagine

> someone has talked to him already - if not, I suggest you do. No sense in

> jumping the gun.

 

We haven't talked to him as of yet. We were hoping to figure out what he

was doing before we confronted him. I'm sure it's probably nothing but I

don't want to just assume that and end up getting burned. He knows that we

don't have any experts on things like this so it would be easy for him to

tell us something that wasn't true. Thanks again for the information. We

probably are making more of this than we need to but I'd rather catch

something before it becomes a big problem.

>

>

>

>>

>> "Lanwench [MVP - Exchange]"

>> <lanwench@heybuddy.donotsendme.unsolicitedmailatyahoo.com> wrote in

>> message news:etedxu3LIHA.5160@TK2MSFTNGP05.phx.gbl...

>>> John W <jw2554@yahoo.com> wrote:

>>>> Part of where our problem lies is that we don't have an in-house IT

>>>> person. The person we suspect is the one who set up our server and

>>>> all the permissions. And yes we do use an AD.

>>>

>>> Ah, yes, if you're using SBS you would have to be. Always remember to

>>> include full detail info when you post in server groups, re

>>> versions/SP levels etc. SBS questions are best posted in

>>> microsoft.public.windows.server.sbs, for future reference.

>>>

>>>> We're probably going

>>>> to hire an outside person to come in and fix the permissions but we

>>>> really would like to know what he's up to first.

>>>

>>> Note - you haven't mentioned any of the specific issues that make you

>>> suspicious, and they may in fact be nothing to worry about.

>>>

>>> That said, I appreciate the bind you're in, but there's no real way

>>> around this if you don't know how to manage your own server already - I

>>> suggest you have an outside person come in and *peform* an

>>> detailed server/network audit for you. You can have this person work

>>> *with* your IT person or not (you are always entitled to get an

>>> outsider for a second opinion; it's your network), but let the other

>>> consultant know your concerns

>>>> When you say turn

>>>> up the auditing what exactly do you mean?

>>>

>>> http://support.microsoft.com/kb/814595 for basics...

>>>

>>>> I'm a little bit familiar

>>>> with SBS 2k3 but not enough to be modifying group policies

>>>

>>> I generally recommend that you create your own and link them at the

>>> correct OU level to do what you want.

>>>

>>>> or things

>>>> like that.

>>>

>>> Then I suggest you not be the one to do this - remember that what

>>> you do will be quite visible to your current admin.

>>>

>>>

>>>

>>>>

>>>> Thanks for the advice!

>>>>

>>>> "> Well, you could turn up auditing, but that may not do enough. All

>>>> you could

>>>>> use *is* something like a keylogger.

>>>>>

>>>>> Seriously, if you have reason to distrust this user, take away the

>>>>> admin rights. You should actually consider delegating permissions

>>>>> (I'm presuming you use AD here) and installing a taskpad on this

>>>>> user's PC, so he doesn't need to log into the server at all. You

>>>>> can give him just the rights he needs.

>

>

>

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Server Activity

 

John W <jw2554@yahoo.com> wrote:

>>> As for the issues that are making us suspicious....he has no

>>> real need to be logged into our server but for some reason he's been

>>> connected every night while we're closed. I can tell because he

>>> keeps rebooting the machine.

>>

>> Every night? How do you know it's him, and not a hardware failure,

>> or a service, or scheduled task, etc?

>

> We know it's him because when he does the restart he puts his

> initials in the comments for the restart.

 

OK - ask him why he's doing it. Or cut him off entirely and change *all*

your passwords everywhere. Nobody else will be able to figure out the

reason!

>

>>

>>> There are also a LOT of new errors

>>> showing up. We've started getting a message that we're about to run

>>> out of licenses (we haven't added anyone new).

>>

>> Pertaining to your SBS CALs? How are you licensed now? Per user, or

>> per device? I have to say I can't see how this could be construed as

>> nefarious activity. You just may not have enough licenses. SBS

>> doesn't really log your licenses, it just displays the maximum it's

>> detected in use. You need one per device (wherever it is....) or per

>> user (wherever the users are).

>

> We are currently licensed per device. We have more licenses than we

> need and have not added any new equipment or users for quite some

> time.

 

If these are SBS CAL messages I don't know that you need to worry about

them, then.

>>

>>> Also, all of our

>>> remote users connect through terminal services. I've noticed him

>>

>> How have you noticed this?

>

> I have been using a software (AMS Monitoring System) that logs who is

> accessing what network shares. It will show the user, the system

> they're connecting from and what folders their using.

 

Are these ones he has no business accessing? Such as, personnel/budget info?

>>

>>> accessing network drives while TS doesn't show him connected - to me

>>> that means he's created himself another way into the server.

>>

>> Could be using VPN (PPTP VPN is built in to SBS).

>

> I agree he could just be using VPN but to us it still comes down to

> why. He has no reason to be in our system.

 

Perhaps he's doing work. Can't say. You'd have to ask him or cut him off as

per above.

>>

>> I have to tell you, nothing here is sounding terribly dire to

>> me...unless you think his bills are being padded.

>> What has he said when you've asked him about this? I have to imagine

>> someone has talked to him already - if not, I suggest you do. No

>> sense in jumping the gun.

>

> We haven't talked to him as of yet. We were hoping to figure out

> what he was doing before we confronted him.

 

Not possible, really.

> I'm sure it's probably

> nothing but I don't want to just assume that and end up getting

> burned. He knows that we don't have any experts on things like this

> so it would be easy for him to tell us something that wasn't true.

 

To what end, though?

> Thanks again for the information. We probably are making more of

> this than we need to but I'd rather catch something before it becomes

> a big problem.

 

Sure, but your options are limited. The bottom line is, you have to be able

to trust your admin - which means you have to be able to talk to your admin.

At this point, unless the guy is acting really sketchy, I can't see that you

have any reason to suspect him of underhanded deeds - I, however, would be

asking him ASAP why your server is being rebooted every night.

 

<snip>

 Share
Go to topic listing
×
×
  • Create New...