Key logger for windows terminal server / monitoring

[rsutoratosu]

So there is a guy that is potentially going to be fired soon.. we think he's leaking reports, ie sending company reports to himself and from his gmail/personal email out to another broker.

Usually we use a hardware key logger but this guy is remote and on 2008 r2 terminal server.

I never used a software key logger since w9x but seems like all the newer one gets flagged by av..

Anyone have recommendations or suggestions on what you had used ?
http://www.spectorsoft.com/


Normally i say we block gmail/etc but they seem to want to catch him in the act, so need something to log off a server without throwing to the av "u have a key logger installed"

 

[Kaido]

There are some watchdog apps like Refog that work on TS...lets you do stuff like keylogging & periodic screenshots:

http://www.refog.com/terminal-monitor/

My boss used something like this a few years ago...had a dude working the first & last hour for our biz, then doing side work for the middle 6 hours. Hard to argue with HR when you're presented with timestamped screenshots

Just make sure a monitoring notice is in your employee handbook for legal CYA purposes.

 

[Elixer]

So there is a guy that is potentially going to be fired soon.. we think he's leaking reports, ie sending company reports to himself and from his gmail/personal email out to another broker.

Usually we use a hardware key logger but this guy is remote and on 2008 r2 terminal server.

I never used a software key logger since w9x but seems like all the newer one gets flagged by av..

In addition to what has been said... you can do this.
Why don't you enable audit logging?
https://technet.microsoft.com/en-us/library/cc772215.aspx

If you want more "evidence", then enable packet capturing.
http://blogs.technet.com/b/yongrhee...s-server-2008-r2-and-windows-server-2012.aspx
That will grab everything going to/from them, store the file someplace safe where they don't have access to.

Where would you want the keylogger installed anyway, on the server? That seems less that desirable for multiple reasons.

 

[yinan]

You need the keylogger to capture keystrokes. A packet capture won't capture much out of an RDP session which is already encrypted, let alone email over https.

 

[Mushkins]

A keylogger isn't necessarily going to do much here either. If he's copy/pasting or dragging and dropping documents, all you're going to prove is that he logged into his personal email on company time.

What you need is actual watchdog software that records or takes screenshots of what's being done on the VM/workstation.

 

[cabri]

A keylogger isn't necessarily going to do much here either. If he's copy/pasting or dragging and dropping documents, all you're going to prove is that he logged into his personal email on company time.

What you need is actual watchdog software that records or takes screenshots of what's being done on the VM/workstation.

Or a document access tracking as to what he accessed and when.
If he does not need to access the documents; then it shows that there is a problem.

However, it is best to just cut off access if one is concerned with theft.

 

[Elixer]

You need the keylogger to capture keystrokes. A packet capture won't capture much out of an RDP session which is already encrypted, let alone email over https.

D'oh...right, forgot that was encrypted.

 

[rsutoratosu]

The key logger would be for say he open browser and go to gmail.com and sends attachment, i used an old key logger before and it shows browser and click actions ie

Open IE
Log in
Type in email address
Type in password
Click compose
Type in email address
Click attach
Click file <file paths>

I'm assuming some of the newer key logger, etc can do it better.

 

[rsutoratosu]

There are some watchdog apps like Refog that work on TS...lets you do stuff like keylogging & periodic screenshots:

http://www.refog.com/terminal-monitor/

Ill take a look at this.. thanks

 

[sonitravel09]

I have never used spectorcoft, but I have heard about it.
Our company is using WorkExaminer as a employee monitoring tool. This tool has a good keylogger that can handle your issues. You check it out here: http://www.workexaminer.com/keylogger.html

 

[rsutoratosu]

thanks, haven't even gotten to test these yet.. been busy

 

[MaryMe]

Worktime employee monitoring solution is suitable for remote workers.