Monitoring changes in windows environment

[bradlesliect]

Hi All,

Does anyone know how you can monitor changes being made on a windows box? Software installations, registry changes, network setting changes, etc.

I need to find something that can tell me when User X changes the TCP/IP settings or when he installed/uninstalled software and what it was that he installed.

The machines are networked but not on a Domain Controller or part of an Active Directory structure. Currently ALL users have FULL access to the machines as this is how it was requested but someone keeps making changes to the darn stuff which makes it difficult for me to track who and what was done.

Anything out there?

Thanks

[nihil]

Do the users actually log on as themselves, or do they use some general account? Obviously they have full admin rights it would seem?

I would recommend that the only software that you require is a word processor to update your CV.

What you are describing is total anarchy and effectively "mission impossible".

Unless your organisation is prepared to embrace the concept of "least enablement" there really isn't much you can do.

I do not think that attempting to introduce some sort of "blame culture" is in any way an acceptable solution.

Either you are in charge or you are not?............. look to your CV mate.

I have seen your situation before and never seen any good come out of it.

EDIT:

I need to find something that can tell me when User X changes the TCP/IP settings or when he installed/uninstalled software and what it was that he installed.

If they have the power to do that, they also have the power to cover their tracks, or worse still, make it look like someone else did it.

[Cider]

Hmm, get them on a DC and put up some policies - lolz , sounds worse than my office :/

[nihil]

The worst situations I have seen are where you have to take over administration or support in an environment where you have reasonably computer literate users who are at a senior management level (although they might not be managers, just expensive tekkies) and have been used to full admin rights.

The only way to rectify the situation is to have the support of management at the Director/Vice President level.

Generally there are only two ways to get that:

1. Reducing support costs.
2. Regulatory compliance/security.

The only positive side is that there is no way you will be outsourced, because no-one would take it on

One possible ploy would be to recommend an external security and efficiency audit. Management seem to place much more value on the opinions of outsiders than they do on those of their own professional staff

[bradlesliect]

nihil .... your argument in both posts are well put and I could not have said it better myself.

However, the problem here is that the client requires the users to have full access to their workstations in the even that apps need to be installed and I am not able to do so. In most cases I can do this remotely but there is always that odd chance that I am not able to.

I am the outsourced IT dude and I have the task of ensuring that things run smoothly at the client. It makes my job a nightmare as I don't have the control I really want to manage this network effectively.

I have tried discussing this before but just the fact that admin rights are required this is always where the discussion comes to an abrupt end.

I would like to know how I can "subtly" propose a more secure solution.

I have managed to secure the router and wifi he has with some resistance but I showed him how easy it was for me to hack it from the neighbour's place and sniff the traffic leaving his network for the net.

This guy has been my client for about 12yrs now and is responsible for the bulk of my income. I am looking to perhaps have a situation where the user has "superuser/power user" access which allow him to install but not uninstall and no access to change any windows settings.

Cider - There is no need for a DC...too much work...too expensive and not needed. Client want a "keep it simple stupid(KISS)" environment. I would love to have an AD with roaming profiles .....gives me more control ...but it ain't gonna happen

Moving along....back to the drawing board...

I came across this application - Security Administrator. Any know / heard of it?

http://www.filesland.com/companies/I...nistrator.html

[morganlefay]

How many computers are we talking here???

Cider - There is no need for a DC...too much work...too expensive and not needed. Client want a "keep it simple stupid(KISS)" environment. I would love to have an AD with roaming profiles .....gives me more control ...but it ain't gonna happen

Have you done a cost analysis comparing the cost of support verses a server...with centralized files\storage \mail and backup....or the cost of the downtime due to all this fiddling???

The MS Small Business Server is not expensive

MLF

[nihil]

Hi Brad,

Firstly let me offer you my heartfelt sympathies, in fact that probably should read empathies

This guy has been my client for about 12yrs now and is responsible for the bulk of my income.

Ah! that bit I did not appreciate, hence the apparent stupidity of my earlier responses. I would regard you as a "consultant" rather than an outsource.

A few more questions:

1. Are all these computers on the same site?
2. Where is/are the server/s?
3. Is there anyone who is really computer literate onsite(s)?

I know that they all think that they are the cat's pajamas when it comes to IT, but is there anyone who might be able to hack it for real?

I would suggest looking for a few "trusties", and allow them rights, whilst removing them from the others. If it is a single site or discrete sites that should work? I hope we are mostly talking desktops here?

The first thing I would go for is to secure your server(s). They should only be accessible by you and one other "trusty" (in case someone buys me a Musgrave and a ticket to Cape Town )

My point is that if you assign responsibility you drive a wedge between the little anarchists? And politically it is a very good move, because you make selected people feel "special".

Your client feels that all eventualities are being covered, and at least you would have regained partial control?

Please give me the additional information I have requested and I feel that we can move forwards?

Cheers,

P.S. Please remember that I am from England............ the guys who brought you the Boer War

[Cider]

Another capetonian, how absurd!

Brad , what company is that so I can hack it

[nihil]

What I didn't mention is that I have used the create a local superuser approach in the past and it works.

If you cannot do something remotely you can talk them through things over the phone. Also you don't need to monitor who is making changes because you already know?