View Off-Site Users' Actions

[Devon Sedlydins]

How can I view which Users are logging in from off site, what IP
addresses they originate from, and which programs are accessed by those
Users? Is this possible? I would actually also like to view their
keystrokes while they are online, but I don't know if that is possible
either.

I suspect the system may have been compromised, that is, but I want to
both make sure of it, and also see what information is being sought.

We are using a Sonic firewall and Terminal Services (MSTC) for Users to
access the Win2000 Server.

 

[Phillip Windell]

Only on Star Trek, the Matrix...and other hollywood movies.

 

[Richard G. Harper]

You'd have to buy a dedicated network device that would log all this
information and put that device between your public Internet link and the
rest of your network. Unfortunately I don't know of any that will do all of
this but you're welcome to use Google and see what you can find. Windows
itself cannot do such logging.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm

 

[Phillip Windell]

If you are compromised, and the intruder has somehow stolen a user's
credentials (the most common method), the traffic would look just like the
user owning the credentials was doing it and there would be no way to tell
the difference.

The defense is to have all users change their passwords,...then the intruder
wouldn't know about the change which would cause "failed" logon attempts
which you could then possbly track. Unfortunately, there would be a lot of
other failed logins from the real users due to the fact that they have just
changed their passwords and old habits are hard to break.