Advice needed please

grey fox · April 2006

Hi Everybody

Okay here is the scenario...

Recently I busted one of our employees for surfing inappropriate material at work. I know he has a partner in 'crime', but I suspect that this person is using some sort of eraser program because his internet cache, cookies and index file are completely clean; I may be wrong about this hopefully someone will correct me, but I thought that the index.dat file within 'Temporary Internet Files' was almost like a permanent record of a persons surfing habit.

In light of the above, the question that came to me is, is it possible to define NTFS permissions on the 'Local Settings' folder in such a way as to disallow the user from deleting files from it in the same way that you can with 'normal' user files/folders. I know that there are utilities out there that could possibly help with what I need, but in order to purchase stuff I have to go through an ordering process (I work for a charity).

I hope this is not a stupid question.

Thanks in advance.

RussS · April 2006

The index.dat can be deleted too.

kevozz · April 2006

You can erase the index.dat very easily if your on a different profile than the one being erased.

seuss_ssues · April 2006

Surely you have some type of logging enabled where you acheive "point of presence" to the internet.

Just filter the logs based on web traffic and his IP address.

Gogousa · April 2006

Are you working under a domain, If you are, you can block everything with a group policy.

Megadeth4168 · April 2006

We use software on our Proxy server to record where everyone goes on the internet.... This can be done 2 ways... By IP Address (All static here) or by Active Directory login.

We had considered using a RADIUS for some of the same things.

Things are much easier if you are working in a domain enviroment... If not then you may have to go to every machine and set permissions.

Judd · April 2006

grey fox wrote:

Recently I busted one of our employees for surfing inappropriate material at work.

Here's a thought, if you don't have an acceptable use policy, or the acceptable use policy doesn't explicitly say what "inappropriate material" is, all the evidence you get from this persons computer won't matter because the user can claim ignorance of the policy.

If you do have this in the policy, it should define what action will be taken against the user if found viewing inappropriate material. If you don't have it stated in the policy that you can monitor users activity then you don't have much to go on, and again finding evidence won't really matter.

P.S. Look in the DNS cache, I've used this one many times and regular users rarely purge this.

ipconfig /displaydns

grey fox · April 2006

Hi Everyone

Thanks for the replies and suggestions.

To be honest, now that I have been able to think things over, I think trying to go after this person would be a waste of effort, so I have decided to let sleeping dogs lie. I think I was losing sight of the bigger picture because this person looked me straight in the eye and lied to me, and I let it get to me. Besides which I have been told that this person is scared of me and has been giving me a wide berth all week

On a positive note, I have been given a budget to implement content filtering. At the moment I am trying out a 1 month free trial through the manufacturers of my firewall, and it seems to be quite effective. It allows you to black list criteria and any sites that fall under these criteria are blocked and logged for inspection. We will see how this performs and take it from there.

If anybody is interested this is the link for the people who actually provide the service http://www.bluecoat.com/

Thanks once again for all your replies.

Advice needed please

Comments