• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Key logger for windows terminal server / monitoring

R

rsutoratosu

Platinum Member
So there is a guy that is potentially going to be fired soon.. we think he's leaking reports, ie sending company reports to himself and from his gmail/personal email out to another broker.

Usually we use a hardware key logger but this guy is remote and on 2008 r2 terminal server.

I never used a software key logger since w9x but seems like all the newer one gets flagged by av..

Anyone have recommendations or suggestions on what you had used ?
http://www.spectorsoft.com/


Normally i say we block gmail/etc but they seem to want to catch him in the act, so need something to log off a server without throwing to the av "u have a key logger installed"
 
There are some watchdog apps like Refog that work on TS...lets you do stuff like keylogging & periodic screenshots:

http://www.refog.com/terminal-monitor/

My boss used something like this a few years ago...had a dude working the first & last hour for our biz, then doing side work for the middle 6 hours. Hard to argue with HR when you're presented with timestamped screenshots 😛

Just make sure a monitoring notice is in your employee handbook for legal CYA purposes.
 
rsutoratosu said:
So there is a guy that is potentially going to be fired soon.. we think he's leaking reports, ie sending company reports to himself and from his gmail/personal email out to another broker.

Usually we use a hardware key logger but this guy is remote and on 2008 r2 terminal server.

I never used a software key logger since w9x but seems like all the newer one gets flagged by av..
Click to expand...
In addition to what has been said... you can do this.
Why don't you enable audit logging?
https://technet.microsoft.com/en-us/library/cc772215.aspx

If you want more "evidence", then enable packet capturing.
http://blogs.technet.com/b/yongrhee...s-server-2008-r2-and-windows-server-2012.aspx
That will grab everything going to/from them, store the file someplace safe where they don't have access to.

Where would you want the keylogger installed anyway, on the server? That seems less that desirable for multiple reasons.
 
You need the keylogger to capture keystrokes. A packet capture won't capture much out of an RDP session which is already encrypted, let alone email over https.
 
A keylogger isn't necessarily going to do much here either. If he's copy/pasting or dragging and dropping documents, all you're going to prove is that he logged into his personal email on company time.

What you need is actual watchdog software that records or takes screenshots of what's being done on the VM/workstation.
 
Mushkins said:
A keylogger isn't necessarily going to do much here either. If he's copy/pasting or dragging and dropping documents, all you're going to prove is that he logged into his personal email on company time.

What you need is actual watchdog software that records or takes screenshots of what's being done on the VM/workstation.
Click to expand...

Or a document access tracking as to what he accessed and when.
If he does not need to access the documents; then it shows that there is a problem.

However, it is best to just cut off access if one is concerned with theft.
 
The key logger would be for say he open browser and go to gmail.com and sends attachment, i used an old key logger before and it shows browser and click actions ie

Open IE
Log in
Type in email address
Type in password
Click compose
Type in email address
Click attach
Click file <file paths>

I'm assuming some of the newer key logger, etc can do it better.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top