January 22nd, 2002, 06:58 PM
This is a serious matter, I am asking for assistance.
1. A 'user' loads MSN Messenger and sends confidential company information to
to a 'friend'.
2. Have tried blocking MSN's port 1863, but it then uses HTTP proxy port
(thanks MS !!) Then tried blocking all the MSN IPs, but it still goes through.
3. Tried 5 different keyloggers, but A/V keeps picking them up.
4. Have put a sniffer on the users IP, but the buffer fills up. And not knowing
what day the messages will be sent.......
5. Blocked the IP address at the router, but the user goes to another computer.
6. Installed MS 2000 Professional on sensitive computers.
All systems are Windows based (and I'm not strong in Linux)
January 22nd, 2002, 07:08 PM
Report this person to HR and have them fired.
Living life one line of error free code at a time.
January 22nd, 2002, 07:12 PM
Lock the user's account from authentication onto the domain for starters.
Next, go around and make sure they can't install any third-party programs (2000 and NT both have that ability).
Get proof that they've had transactions sent (by default, messengers log to a file somewhere).
Wait for the user to try to log in and nail them when they come looking for access with the proof in hand from their repeated transactions on multiple machines and get them for the following:
1: installing and using non-approved software on company machines.
2: transmission of confidential and proprietary information to outside parties.
3: repeated violations of 1 and 2 when measures were taken to block this communication.
That's enough to warrant someone being fired and have a bad mark on their referral list. If none of those work, wait out in the parking lot with security and have them have "an accident". *he he he*
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
January 22nd, 2002, 07:24 PM
Can't 'fire' them without the proof.
Wish I could lock them out of the domain; but their job depends on them seeing 'some'
information. (they are locked out of sensitive material....as is everyone except management)
Implementing Logon policies would cause others to have problems.
Can't stop them from overhearing information.
Vorlin; I agree with you 100 percent. There are written policies in place prohibiting loading software of any sort, and using 'chat' type programs, and xxx websites, etc.
MS Messenger has the ability of NOT logging it's files. (dammit) Otherwise we would just
Have to prove they download it, install it, use it, then remove it again.
Bit of a conundrum
January 22nd, 2002, 07:25 PM
well first off if you using win 2000 pro and this person has a id or user name there are lots or option you can do . just give the guy guest privileges on the workstations and or server and deni access to internet. just giving him guest privileges will make him unable to load or down load a program to the machine tada no msn messenger.
January 22nd, 2002, 07:46 PM
Can you configure your Firewall to log ALL inbound and outbound activity from this user (or IP)?
January 22nd, 2002, 07:54 PM
Our firewall is NAT, and configured to log all inbound/outbound connections.
MSN packets only shows the Router/firewall address, and not the internal IP.
Seems all Chat programs do that.
I'm thinking of installing a WinProxy server, and cascading to the Router.
It's logging feature is pathetic, but maybe with a sniffer I may be able
to pinpoint the offending internal IP.
January 22nd, 2002, 08:07 PM
By the sounds of it, a sinffer might be your only option.
Sorry, can't help more, if I think of anything else, I'll get back to you.
January 22nd, 2002, 08:13 PM
if you are running a w2k network you can give him extremely detailed privileges via the ACE.
--ssshhh, be vewry, vewry quiet...
January 22nd, 2002, 08:26 PM
For $99 bucks I could send you a hardware keylogger that records all the keystrokes typed into the device. Depending on model, it could hold 64kb or 128kb. But hey, this would be illegal wouldn't it?
I'm not in that kind of business anymore....