who's on...

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

hey all,
i might be having problems at work with people getting on my pc (via sms or
mapping drives) but i can't tell for sure. when i look under shared
folders/sessions in computer management i can see a co-worker's user id show
up on and off for long periods of time. could that be because of my SQL
Server being registered on his/her enterprise manager? i don't know?

or how do i know if someone is using sms because i've seen some
administrators use remote desktop with sms on user who had no idea they were
being watched. This seems scary. i know administrator should have this
ability but what if i'm working on something and that information is taken
from me and used for gain by someone else, now that's not fair.

is there a way i can monitor these kinds of threats or do i need to find a
better job where i can trust the people i work for?

thanks,
mj
 
Make sure that you have enabled auditing of logon events in the Local
Security Policy of your computer and then you can see when users have
accessed your computer by looking at the security logs via Event Viewer
though an administrator could clear the security log that itself would leave
an events. If you have data on your computer that you want to remain
confidential I suggest that you look into encrypting that data. XP Pro can
use EFS but if domain level administrators are malicious they could
potentially access your EFS files by adding themselves as a Recovery Agent
which would show in the properties of the EFS file or using efsinfo. There
are also third party encryption programs. If you do resort to encryption be
SURE to understand the risks because if your private key becomes corrupted
you may lose permanent access to your data and I would suggest that you keep
clear text backups of anything important secured on external media. There is
also the problem with a malicious user installing a keyboard logger on your
computer that could capture your passwords and keystrokes though there are
programs that can be pretty good at detecting [software ones only - not
hardware] them such as AdAware SE, SpyBot Search and Destroy, and Ewido
though you would need to update definitions for any program before a scan.
The links below may help and if they refer to Windows 2000 they apply to XP
also other than XP Pro does not require a RA for EFS. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958
http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx
http://www.windowsecurity.com/articles/Logon-Types.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://www.ewido.net/en/
http://www.snapfiles.com/Freeware/security/fwencrypt.html
 
"mattie" said:
when i look under shared
folders/sessions in computer management i can see a co-worker's user id how
up on and off for long periods of time.
Click to expand...

In the Sessions folder click on the Help icon for detailed information on
the type of access, it could be a shared printer or shared resources and not
necessarily your work files, the "Number of open files" column in shared
folders/sessions in computer management can give you a specific idea as to
what/if files are being accessed in your computer, and if you deem it
necessary you can disconnect the user with a right click and "Disconnect all
sessions".

If your user account is power user you may be able to install a third party
firewall with the security level set at
low to allow the normal local network traffic.. a firewall can give
intrussion warnings and logs with specific access information, you can also
block specific intrussions if you have to. Other type of software are
traffic monitoring software, those can give more specific information and
even save detailed and printable logs. The
following web sites have many different traffic monitoring software, hope
you find the right one.

http://www.findapp.com/fMgmt/products.aspx?C=269

http://www.monitortools.com/

-----------------------------------
 
Make sure that you have enabled auditing of logon events in the Local
Security Policy of your computer and then you can see when users have
accessed your computer by looking at the security logs via Event Viewer
though an administrator could clear the security log that itself would leave
an events. If you have data on your computer that you want to remain
confidential I suggest that you look into encrypting that data. XP Pro can
use EFS but if domain level administrators are malicious they could
potentially access your EFS files by adding themselves as a Recovery Agent
which would show in the properties of the EFS file or using efsinfo. There
are also third party encryption programs. If you do resort to encryption be
SURE to understand the risks because if your private key becomes corrupted
you may lose permanent access to your data and I would suggest that you keep
clear text backups of anything important secured on external media. There is
also the problem with a malicious user installing a keyboard logger on your
computer that could capture your passwords and keystrokes though there are
programs that can be pretty good at detecting [software ones only - not
hardware] them such as AdAware SE, SpyBot Search and Destroy, and Ewido
though you would need to update definitions for any program before a scan.
The links below may help and if they refer to Windows 2000 they apply to XP
also other than XP Pro does not require a RA for EFS. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;en-us;q300958
http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx
http://www.windowsecurity.com/articles/Logon-Types.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223316
http://www.ewido.net/en/
http://www.snapfiles.com/Freeware/security/fwencrypt.html
 
mattie said:
hey all,
i might be having problems at work with people getting on my pc (via
sms or mapping drives) but i can't tell for sure. when i look under
shared folders/sessions in computer management i can see a
co-worker's user id show up on and off for long periods of time.
could that be because of my SQL Server being registered on his/her
enterprise manager? i don't know?
Click to expand...

Why not ask?
or how do i know if someone is using sms because i've seen some
administrators use remote desktop with sms on user who had no idea
they were being watched. This seems scary. i know administrator
should have this ability but what if i'm working on something and
that information is taken from me and used for gain by someone else,
now that's not fair.

is there a way i can monitor these kinds of threats or do i need to
find a better job where i can trust the people i work for?
Click to expand...

What "threats" do you mean exactly? You seem concerned that network
administrators may be using their administrative rights to monitor your
computer. If they are behaving in an unsuitable manner then you should ask
your supervisor to raise the matter with their supervisor.

If the "working on something" you refer to is your own personal project,
then my advice would be - do not use other people's equipment to work on
your own personal projects.


--
--
Rob Moir, MS MVP
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked "Have you
checked (event viewer / syslog)".
 
what i mean is what if another lateral developer is trying to view my
progress and use it for his/her gain. lately i've had entries in my security
event log from lateral developers who have no business accessing my machine.

i do have auditing on for logon and detail tracking and the records i'm
getting are
Logon/Logoff
Privilege Use

what do these entries mean?

thanks,
mj
 
Back
Top