Deadpete

Hi folks, I appreciate all the good advice put forward here. I just want to recapitulate what my issue was from the beginning. I needed means to collect web access data for a particular user. Not keylogging, screen dumps, or that sort, as it's far too intrusive. Just record web access, mainly URLs. I could probably have set up a transparent proxy server, but that's using nukes for picking off a few pigeons. I have managed to collect sufficient evidence to present a good case, anyway. Particularly thanks to Tom, for reminding me about documenting everything. The fewer holes in the tapestry, the better. It will be ugly. Thanks to other colleagues for pointing out the possibility to use different means to lock down USB drives. That will be implemented promptly. I will probably implement some more permanent web monitoring to detect abuse at an early stage, before it gets out of hand. I wish everybody a nice spring Peter

Thanks for your input peteyt. It's a balance what is practical, and what's desirable. I don't want to make my office to a second home, which it quickly would be, if I start to lock down user privileges to this particular group. Threat no. 1 for me is rogue USB drives. They can easily carry infection and expand it, circumvent access restrictions to shares, etc. It's also a snap stealing data with a USB drive. Threat no. 2 is web access to pages containing assorted threats. Stealing data just by uploading it to a web server is even more simple. And it bypasses all privileges. As I mentioned previously, I will implement restrictions for USB drives ASAP. Best regards, Peter

Thanks for your input itman. Been there, done that. As I stated previously, this bunch of people need an unrestrained environment to work efficiently. That does not imply total freedom, however. Access to shared resources is very restricted for this group. The problem here, is that one single user is violating company policy, by using company resources to access web sites (potential hazardous) that has got nothing to do with the work position. Also plugging in non approved USB drives with infected files is part of the problem. Restrict privileges to software installations probably will just irritate legitimate users, as this is not really a part of the problem. I will at least implement restrictions on USB drives for now, as it is excellent as a carrier of malware. Best regards, Peter 👍 Thanks Tom, will need it. It will explode on Friday... Peter

Hi Tom, In this case I don't agree with you. Every organization is different. If you are in a large organization, there are (hopefully) a bunch of formal instructions and directives how to handle cases like this. There are formal rules how to open a surveillance case, and how to handle the whole process. In my case, I'm appointed to take care of the day to day IT operations. Which includes "policing". If I would contact the management without, or with very scant evidence, I would probably be told to not bring slander. It could also end up that the person in question would be fired on the spot. Both outcomes very unfortunate. If I collect solid evidence of abuse, the reaction will be very swift. If the person in question steps in line, and starts to behave responsibly, the better. Then there's no case, and nothing has happened. I also have got decades of experience in this business, but not from large organizations. Also, I guess the different view points we have are based on local habits and customs. Best regards, Peter

Hi folks, This topic seems to have caught the interest of quite a few. I sincerely value the input from everybody. The problem has got many facets, both technical, and human. There are not many users in this work group, and I know everybody personally. In a small group, you must have a high level of trust, that everybody behaves responsibly. Many years ago, I tried being restrictive, blocking USB ports, keeping track of flash drives, logging web access, logging mail communications, etc. It was a small success with the office workers, where a certain amount of abuse was detected, and promptly acted upon. With the engineering staff however, it turned out to be quite counter productive. The users were unhappy, and I was bogged down with elementary tasks. It turned out to be efficient to give each user administrative privileges on their own local computer. Some of the software is updated fairly frequently, and being too restrictive would have quite an impact on productivity. Until recently, that was never a problem. Naturally, data is compartmentalized, where only bits and pieces are shared, and most data stays "private", according to the individual work position of each user. But now, simply put, I have got to handle a user that has started to misbehave seriously. I need to collect information that maps and documents what is going on, either through ESET, or by some other software. The findings will eventually be reported to the management. Implementing appropriate restrictions, either/or by GPOs, ESET, and other means, will emerge from the decisions that will be taken. Best regards, Peter

Thanks for your input Tom. I am grateful about the reminder about documenting everything. I have informally told the person in question that I don't like the behavior, and that it poses a serious risk. The response seemed to be uninstalling some "incriminating" browser plugins (harmless by themselves), and access contents by other means. With this type of avoidance reaction, I'm afraid only solid proof (in the form of browser, and USB logs) can get the person to stop. If at all... Best regards, Peter

Hi Marcos, Thanks for your input. In this case, it's not really what I'm after. It's not a large network, there are not a lot of users, and keeping an eye on network traffic does not need very advanced tools. At the moment, I am more in need of some tools to log what a particular user is up to. Best regards, Peter

Hi folks, At our site, we have got a user with seriously risky behavior. The user has frequently been visiting web pages with infected contents, and the user has also been plugging in infected flash drives on a couple of occasions. Up till now, ESET has blocked dangerous content, but it's just a matter of time until something very unpleasant stuff gets through. Telling the person to stop doesn't seem to be very helpful. Monitoring users is a quite sensitive area, but the company policy is, that there are no rights to privacy when using company equipment, or other company resources. Private use is strictly prohibited, and part of the employment conditions. My question is, if there are some means to logging user behavior in the ESET packages? In our case, it's mostly logging of web browser traffic (visited URLs, not contents), and use of USB drives that could be valuable. At least to get a picture what is going on (illegal crypto currency mining or what). Key loggers, screen dumps and similar is going too far at this point. Best regards, Peter

Hi folks, Deadpete here... Have a nice day! Peter