Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Tracking a user 5
- Thread starter Tracknut
- Start date
- Thread starter
- #3
-
2
- #4
If you use static IPs, or keep the same DHCP address for an extended period of time, you can just run WinDump with -n -w <filename> and his IP address to trap everthing he does.
Or you could install a keyboard sniffer on his machine.
But if you are the admin, how has he locked you out of his registry?
pansophic
Or you could install a keyboard sniffer on his machine.
But if you are the admin, how has he locked you out of his registry?
pansophic
- Thread starter
- #5
-
1
- #6
Step one - Lock out his account.
Step two - Go to his machine, and kick him off
Step three - Audit his entire PC
I'll see your DMCA and raise you a First Amendment.
Step two - Go to his machine, and kick him off
Step three - Audit his entire PC
I'll see your DMCA and raise you a First Amendment.
-
1
- #7
First of all, do you have a published desktop usage policy. If you do, and he's in violation of it, go ahead and take action.
Second, sack up man! Call a meeting with your boss and his boss, and lay out the facts. He's doing something suspicious and is in clear violation of corporate policy. Confiscate his machine and take it back at your leasure. As long as you notify management beforehand, and your actions are in the best interest of protecting the company, you are pretty clear to act.
We have a corporate policy that clearly states that these kinds of actions are a violation of corporate PC desktop security policy and any violation is punishable up to and including termination. You don't have to be a butt about it, but you do have to take action. I have seen things like this that have put companies at legal risk and resulted in huge financial impact.
I was once called in to hack into an employees PC. He had locked it up and passworded it and no one could get in. He was the only one that had access to a number of systems (this is back in the days of MSDOS and IBM PC-ATs). His managers asked him to cross train others as backup, but he always claimed he was too busy. When I got in, I found some BAT files called things like "f**ky*u.BAT" and other obscenities. Each one either deleted a production database or formatted a critical hard disk. There was no reason for these to be there. When asked, he said these were for maintenance and testing purposes. He was escorted out immediately.
I'm not saying that your guy is like this, but if he's locking out normal OA admin functions, then ANYTHING is possible.
Second, sack up man! Call a meeting with your boss and his boss, and lay out the facts. He's doing something suspicious and is in clear violation of corporate policy. Confiscate his machine and take it back at your leasure. As long as you notify management beforehand, and your actions are in the best interest of protecting the company, you are pretty clear to act.
We have a corporate policy that clearly states that these kinds of actions are a violation of corporate PC desktop security policy and any violation is punishable up to and including termination. You don't have to be a butt about it, but you do have to take action. I have seen things like this that have put companies at legal risk and resulted in huge financial impact.
I was once called in to hack into an employees PC. He had locked it up and passworded it and no one could get in. He was the only one that had access to a number of systems (this is back in the days of MSDOS and IBM PC-ATs). His managers asked him to cross train others as backup, but he always claimed he was too busy. When I got in, I found some BAT files called things like "f**ky*u.BAT" and other obscenities. Each one either deleted a production database or formatted a critical hard disk. There was no reason for these to be there. When asked, he said these were for maintenance and testing purposes. He was escorted out immediately.
I'm not saying that your guy is like this, but if he's locking out normal OA admin functions, then ANYTHING is possible.
- Thread starter
- #8
This user is a high level mgmt. member and can't really confront him. Believe me, I'd love to do this but in reality it's not gonna happen. This user 'manages' an accounting system and has an admin id.
Looking for ways to create his admin shares without him knowing.
Looking for ways to create his admin shares without him knowing.
-
1
- #9
Its time to break out the social engineering skills. =) Go to the higher level manger than him and confront him with your evidence and your concerns and ask for advice on how to handle the situation. If the company says no worries then hey they pay you to not worry about it.
The next option is to put this guy high up on the que for a brand new PC
And secure it like it was your daughter about to go out on prom night
The next option is to put this guy high up on the que for a brand new PC
And secure it like it was your daughter about to go out on prom nightTry using an agentless auditing software like SecurityExpressions. You can then audit his workstation without installing any software on his machine - everything from registry keys, users/groups, permissions, rights, passwords, patch management, identify unauthorized software including those with back doors, delete unlicensed or unauthorized software, identify unauthorized access hardware (modems, wireless access points), etc.
I've personally used Pedestal Software SecurityExpressions and I've been impressed by its performance. You can download a full working version from the web and see if it meets your needs.
I've personally used Pedestal Software SecurityExpressions and I've been impressed by its performance. You can download a full working version from the web and see if it meets your needs.
If his IP is in a DHCP range, then make a reservation on it. If it's static then just start monitoring where he goes via FWlogs or proxy logs. If you have a proxy server with a 3rd part software that will put together reports, then you can show how much time he is wasting and how much dollars he is wasting. Once these reports get to HR then, he'll have a rough time backpeddling. Unless he's the owner, then it's his money. Most companies don't care what a persons position is, if their wasting more money then their worth their gone. Also, you can always make certain changes (ie. IP address scemes, routing, desktop polies, etc) that'll effect his (since you can't remotely access his it can't be changed)there for he'll need to call the Support Desk and you log it into an incident report.
![[noevil]](/data/assets/smilies/noevil.gif "[noevil] [noevil]")
- Status
Similar threads
- Locked
- Question