We believe we have a rogue admin ( works 1 hours/plays 7) 1

[croag]

We've got a rogue admin who likes to remote into one of the servers here and monitor the employee usage of the internet in real time by watching the surf control software (talk about a waste of time). My question is, how do we set up some kind of event log or tracing on that system to find out exactly how much time this person is using the program..(say, c:\programfiles\program.exe). We'd like to do this using windows event logs. Our goal here is to see how much time he is using up by looking at this data in "program.exe" via logging on using Terminal Services. Your thoughts/posts/solutions are GREATLY appreciated.

Thanks!

 

[mattjurado]

1. Is this an employee or an outside consultant?

2. Why is he/she watching web activity of users? Is there a real benefit of what he/she is doing, or was this requested of your admin?

Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.

 

[croag]

Thanks for much for your reply:


Here are the answers

1.) This is an employee

2.) His direct manager has come to me expressing these concerns and asking help in resolving via the request above. I told him that I'd have to turn to tech tips as I have excited the technical track in IT for more of a business/IT role. The person in question is the site admin and apparently, according to his boss, there is no reason why this person should be watching web activity of users. No one requested it, infact, we have the program in place simply for auditing purposes - not for the Admins (or any other employee) to "watch".

Any suggestions?

Thanks!

 

[mattjurado]

Then why is he doing the activity? If you have a program already tracking web surfing, and there aren't problems being generated by your staff that would be giving him reason to monitor manually, then he's really spying on your staff. I wouldn't be looking to monitor his activities, I would simply tell him to stop the activity or find a new job. The reality is, his manager should be telling him this. No reason to look for an exotic solution to monitor your admin, if you know he's doing these activities, then that's that.



Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.

 

[mattjurado]

If you really want to pursue this, you could enable auditing on the server. Here is a good article to get started, perhaps you want to audit logon events, and process tracking.

http://www.comptechdoc.org/os/windows/win2k/win2kauditing.html

Note this will use some resources.

Matt J.

Please always take the time to backup any and all data before performing any actions suggested for ANY problem, regardless of how minor a change it might seem. Also test the backup to make sure it is intact.

 

[croag]

Thank you for your reply. I completely agree with your conclusion. The reality of the matter is that, in our industry and our organization's standards clearly state that management requires documented proof of discretions. Also, his manager has told him to stop yet, people have come to me and asked why he continues to do this...His mananager's manager has empowered me to perform this operation under the descretion of his manager,...sounds to me like the top management is testing both the employee and his boss. phew... Thanks

 

[Davetoo]

Install a remote viewer on the suspected admins system, then remotely view what he's remotely viewing.

There's a program out there that can be installed remotely and run as a service so the admin, unless he looks for it, won't know you're doing it.

Unfortunately, I cannot recall the name of the program. If I remember, I'll post back.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[benzgc]

I think that lander215 is talking about realVNC its free to download. the only thinig is that you have to install it on his pc when he is not there and if he is smart he will see it on his taskbar the good thing is that if he is not constantly looking at it he will not notice that the icon goes black when you are monitoring him.

 

[Live2Die]

You can set up RealVNC so that all you do is see what he is doing and no other interaction will take place, no mouse movement or anything. I would suggest, if you go this route, that you have either HIS manager or the top level manager, who ordered the monitoring, to be present when you actuall log on to his machine.


Life is a mind game
Wanna Play?

 

[Davetoo]

No, VNC leaves tracks...dangit...wish I could remember the name of the other one. Totally silent install remotely and no tracks are visible on the local machine...it's one reason they won't let me use it here because I could use it and nobody would ever know I was watching...

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.

 

[Live2Die]

There is a prog called Spy Anywhere Stealkth Edition

http://www.computer-monitoring.com/anywherestealth.htm

chek it out...its similar to what lander215 is talking no trace of an install

Life is a mind game
Wanna Play?

 

[porkchopexpress]

Alt you could use Gencontrol it's based on VNC but it completely uninstalls when you stop viewing the remote computer.

http://www.gensortium.com/products/gencontrol.html

 

[markdmac]

If this guy is using terminal services to access the program, you can natively monitor his session via Terminal Services manager without the need to install other software.

I hope you find this post helpful.

Regards,

Mark

 

[Tightpants]

I agree with mattjurado.

It sounds like this admin's boss is trying to find an IT solution to a personnel problem he should be dealing with. A classic case of trying to avoid the real issue.

 

[GlenJohnson]

You've got more patience than me. I'd use the ts manager, and whenever the rogue signed on, I'd give him a few minutes then disconnect his session. Do this to him till he starts complaining about his connection, then ask him what he's doing with it.

Glen A. Johnson
If you're from the Illinois, Wisconsin or Florida area, check out Tek-Tips in Chicago IL
To get the best answers to your questions, check out faq950-5848

 

[markdmac]

Nice thing about using TS manager is you can configure it to not need client permission to shadow.

I hope you find this post helpful.

Regards,

Mark

 

[rislejay]

It sounds like this admin's boss is trying to find an IT solution to a personnel problem he should be dealing with. A classic case of trying to avoid the real issue.

I don't think this is the case. If he needs to take administrative action he needs solid proof and not speculation.

 

[Tightpants]

Sorry if it sounds a little simplistic. His manager knows what he is doing so he doesn't need proof. Covert monitoring is hardly going to enthuse an employee when they find out. How about talking to the guy to find out what he is up to, and give him something productive to do in the meantime so he doesn't have time to sit around watching surf control software in action.

Computers need people in order to make them useful.

 

[rislejay]

Just because you know something does not mean you can prove it.

My opinion is coming from a regulated background. Employees must sign a computer use agreement with spells out that they have no or limited privacy rights when using the company's equipment. It goes further to say that an employee's actions can be monitored.

Maybe it is time for them the spell out what is considered unacceptable usage and that they have the right to monitor what an employee does. I would rather see them take a safe approach and protect themselves from future legal problems.