Start by turning on auditing on all machines. Specifically Audit Account Logon Events - this will record the success or failure of a user to authenticate to the local computer across the network.
Audit Logon events - this records the success or failure of a user to interactively log on to the local machine. Be sure to increase the size of your security log as it can fill up quick. This can be easily done through group policies. Also check the VPN logs to match against the security logs to pinpoint the exact time she vpns from home. I also use a product called Eventlog Monitor from GFI that continually scans eventlogs of machines and will email you depending on what type of action and severity is found. MP -----Original Message----- From: Alan Cooper [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 13, 2002 12:22 PM To: [EMAIL PROTECTED] Subject: Logging admin access to workstations I have a potential hacker on our corporate LAN who has network-wide administration rights and may be copying confidential files from several executive workstations. This is a Windows environment and the workstations involved are Windows 2000 Pro and NT. The person suspected is extremely sharp and I need to do this without her knowledge. It is unlikely that we could use a keyboard-logging program since she is using a laptop (asking for the laptop may arise her suspections). She also VPN's from home and I have no access to her home systems. Is there a program that we can run on Win 2000 and NT workstations that will log all access attempts, tell me what they are doing if access is granted, their IP address, time of day, etc? Is there a better way approach this problem? Thanks for your help. __________________________________________________ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies.
