Tracing Internet history from server end?

[alanbloom]

I have just started a job administering a small network in a training centre. There was bugger all security, which has been sorted now but apparently a convict had been using the internet, looking at dodgy stuff when he should have been 'learning'... I don't think we have a course 'how to look at porno'...

The prison server need to know what he was looking at, so I am trying to get the history logs.

The computer he was using has a domain user account with a fixed IP, so I don't know of any way of getting to internet history logs on the computer he was using. Is there a way of getting logs from the server?

The set up is a web server running Windows 2000 server as well as a domain controller, running the same. I know the IP address of the training computer - is that enough to get the history?

Thanks

 

[sh321]

If you haven't got any internet filtering/logging software then I would guess the easiest way would be to access the 'History' folder in 'c:\Documents and Settings\Username\Local Settings\History' - either directly from the PC or from the server as per below.

Just access the C: drive of the PC that he/she was using from the server, from the 'Run' command type \\pcname\C$

This is all assuming that the user (or anyone else hasn't deleted the history.

 

[sh321]

Forgot to add, you will have to uncheck the 'Hide protected operating system files' in 'Folder Options' to view the 'History' folder.

 

[alanbloom]

Hi there
Thanks for replying

There are a couple of internet usage logs on the specific computer, but he used the Clear History function before leaving the computer. I was hoping that the server may have a very low level record of addressed or IP visited, regardless of the machine he was on...

Thanks again

Alan

 

[kmcferrin]

The server will have nothing unless it is a proxy server. If you don't have a proxy server that he was using, then the only record will be on his PC.

But just because you hit "Clear History" in IE doesn't mean that the history is actually cleared. There are a number of free and shareware tools available that can read the DAT files left on the PC under his user profile and provide you with a list of sites that he has visited. If you Google for them I'm sure you can find 50 or so. Most of them are for spying on your kids/spouse/etc or for keeping your kids/spouse from being able to spy on you. There's also the drop-down history in IE, and I don't think that clears itself either.

 

[sh321]

Agreed with kmcferrin- you should be able to retrieve the necessary files with the appropriate software.

The best solution for the future would be to invest in some proxy/web filtering software for your server. With this installed you can both monitor and restrict web categories of your choice/in line with company policy.

If you can't stretch to that, then at the least disable access to clearing the IE history via Group Policy.

 

[kmcferrin]

It shouldn't be much of a stretch, you can do most of that with Squid (not sure if it allows blocking). But even if you can't block with Squid, you can do use OpenDNS instead. Money spent would be minimal.