Previous Posts

 Run Sysinternals directly from the Internet

Update your DNS Server - NOW!

Block XP SP3 - Stop the madness

Find out where a DLL, EXE, or SYS file came from

VMWare 2.0 Beta 2 Release

Restrict User Logon Hours

Vista Service Pack 1 is coming your way

Use auditing to track who deleted your files

IntelliAdmin Remote Control - Status Update

Try out the IE 8 Beta



Archives

May 2005

January 2006

April 2006

May 2006

June 2006

July 2006

September 2006

October 2006

November 2006

December 2006

January 2007

February 2007

March 2007

April 2007

May 2007

June 2007

July 2007

August 2007

September 2007

October 2007

November 2007

December 2007

January 2008

February 2008

March 2008

April 2008

May 2008



Subscribe to our Feed:

Use auditing to track who deleted your files

I had a reader write me a few days ago:

...I'm in a school environment and a student has deleted some files and I would like to know how I can do this in Win2k server to catch this sucker. Please advice and more power to you.

This can be accomplished through auditing. Lets start out by identifying what folder we want to watch - and be careful where you turn on auditing...turn it on too many folders with too many options and you can have huge performance issues.

We find the folder we want, and right click on it and go to properties

Audit For Deleted Files Properties

This will bring up the properties page for the folder. Move over to the security tab, and click on the advanced button:

Audit For Deleted Files Properties Page

The advanced page will appear. Click on the Auditing tab, and click the add button:

Audit For Deleted Files Advanced

A user dialog will come up. I chose to put the "Everyone" group here. This allows me to audit for any possible user account that may be deleting files. If you think you know who it might be...you could put those users here instead. The smaller window of users being audited means better performance.

Audit for Deleted Files User Selection

Once you click OK, a selection box will be displayed. Again - chose only the options you need. Each additional option will reduce performance. Here I just pick the options to audit deleting files and folders

Audit For Deleted Files Event Selection

Click OK through all of the windows you have open. If a user deletes a file or folder Windows will write an event to the security log.

Now. We have our auditing turned on, and you get to work one morning and find that files are missing. Simply open the event viewer and move over to the security log. Look for the event ID 560:

Audit For Deleted Files Security Event 560

Double click on the event, and you will need to sit there and read it for a little bit to determine who did what. Here is an excerpt from mine (I copied the text from event viewer to notepad for easier reading)

Audit For Deleted Files Security Event 560 View

We can see from this log entry that the user Administrator deleted the file setuperr.log

Now when someone deletes a file, you will have no problem determining who did it.

If you have a windows administration question, or an idea for a utility please send me an email at support@intelliadmin.com. I can't promise that I will answer every email, but I try to read them all.


Posted By: Steve Wiseman on Friday, March 21, 2008

Check out our utilities for windows

 



IntelliAdmin Remote Control - Status Update

We have been working on the new version of Remote Control LAN edition for quite some time.

Over a year in fact.

For those who have been waiting...it will be worth it.

Before talking about some of the cool features I want to let you know that all current customers will get a free upgrade. This is a big deal. Why? Because when we do release 3.0 we will be raising the price. In addition we may be changing the way we license the product (Possibly per client instead of per administrator). So if you buy now, you will be getting 3.0 for a lot less.

The biggest change will be Vista, and 64 bit support. This sounds so simple on the surface, but making our product compatible with Vista has been one of the most challenging programing projects we have ever faced.

I don't want to get too technical, but lets take an example...

To grab changes on the screen we need a special DLL called a 'hook'. This hook DLL allows the agent to see any graphical changes, and then send them back to the client. To make all of this work the hook uses a shared piece of memory. This shared memory *must* be accessible to all processes on the system.

Well, for quite some time we fought with our hook in Vista. Why? Because every time Internet Explorer was launched our hook would crash (Sometimes taking the system with it). Finally we determined that IE was now launched in a special restricted mode, and if you wanted it to access your shared memory you needed to explicitly allow these types of processes to access it.

This would have been easy to discover if Microsoft had properly documented this - but it was very hard to find. Worse yet the API calls needed could not compile with the current version of Visual Studio (Well after Vista had been released). With a little luck and lots of research we finally got the hook to work.

As you can imagine, this is the tip of the iceberg. I could fill over 100 pages describing the enormous changes needed to make it not only compatible with Vista, but work well with Vista.

We are still getting all of the ends tied up, and I have a rough estimate of about 2 months before we release our first beta. It might be less time than that, but I want to give our team breathing room so they concentrate on quality and not race to finish

With that said, lets start looking at some of the feature in the new version.

Request access before connecting:

We have a flood of email asking for this. Essentially it allows the end user to have a choice when you connect. They are asked for their permission before you can control their computer. I believe in some areas this is a regulatory requirement (Like being notified that your phone conversation is being recorded).

We wanted it to be clear when permission was asked. So what 3.0 does is darken the current desktop, and display a request form like this:

IntelliAdmin 3.0 Request Access

Now, even this feature gave us some heartburn. We wanted this to be shown even if the user had not logged in yet...and it does do that (This was not easy to accomplish). No matter where the user is at, they will be prompted for access.

Seamless operation during a UAC prompt:

If you have not used Vista before, you might not know what I am talking about. Essentially a UAC prompt is popped up each time you try to do something that requires administrative access. It looks something like this:

IntelliAdmin 3.0 VNC UAC

Whats the big deal here? Well the big deal is that most remote control software out there will choke when this prompt comes up. RealVNC will just disconnect you. UltraVNC has this wacky disconnect and reconnect feature, but very few remote control solutions have an elegant solution that allows seamless operation before, during, and after a UAC prompt. We have accomplished this in 3.0.

Support for Group Policy, and Windows User accounts:

Currently you simply need an administrator account. Now this will always be true if you want to automatically install the agent over your LAN. What if you wanted to install the agent yourself, and grant all users that are a member of the "Remote Administrators" group "View Only" access? This is all possible in 3.0. In addition, we will make available a group policy template that will allow you to deploy, and manage permissions of agents across your network.

Lets start looking at some screen shots of the software :)

Multi-User permissions

There are three types of accounts available in the new version.

1. Windows users and groups - These are domain, or local accounts that are granted access to the agent

2. Standard username and password - These are username and password combinations created by you, but do not require any interaction with windows security

3. VNC password accounts - Yes. You read it right, support for VNC client to connect to the agent.

Now with 1, and 2 you get a secure connection with Diffie-Heliman key exchange exchange, and 256 bit AES encryption. In addition to that the client supports the full array of features made available in 3.0

If the client is VNC, there is no encryption, and limited support for the new features. VNC support has been added for those customers that have non-windows operating systems and need some way to connect. If you do not add a VNC account, the VNC authentication system becomes inactive.

Here is what the form looks like for adding, or updating these user accounts:

IntelliAdmin 3.0 Add User

Each user has their own settings:

IntelliAdmin 3.0 Users and Groups

So for example, you could give windows administrators full access, but standard users 'view only' access.

IP Address Filtering

Out of the box it will allow any IP to connect. Using filtering you could restrict it to a range of IP addresses, or block specific IPs that you have had problems with:

IntelliADmin 3.0 Filter

Multiple Interfaces Supported

Most of the time you will only need to listen on all interfaces on the same port. If you have custom needs it is possible to listen on more than one port, and on a specific interface:
IntelliAdmin 3.0 Multiple Interfaces

Status Window

This has been requested many times over. Some customers have wanted a constant notification while the administrator is connected. When the status window is turned on it is displayed in the top right of the screen. If the mouse moves near it then switches to the left side of the screen. No matter what screen or window the user is on - it will always be displayed. This means even if the workstation is locked, or the user has not even logged in yet...it will be shown (While the administrator is connected)

Here is what it looks like:

IntelliAdmin 3.0 Status Window

Connection Activity

When administrators are connected, it is easy to see who is connected and from what IP address:

IntelliAdmin 3.0 Status

That is all I have for now. If you would like to join the beta program (Again...it may be 2 months before you see anything). Please send an email to beta@intelliadmin.com with Remote Control LAN as the subject, and you will be added to the beta list.


Posted By: Steve Wiseman on Tuesday, March 18, 2008

Check out our utilities for windows

 



Try out the IE 8 Beta

It seems like it was just yesterday that IE 7 was released. Well, the IE 8 beta is now available to the public, and anyone can download and try it out.

IE 8 Logo

I had a chance to download and give it a try. It does have some ground breaking features. I am not sure if they will take hold or not.

One example is the activity providers. You can right click anywhere within a web page and launch an activity provider:

IE 8 Activity Provides Menu

So for example, I visited our website, right clicked and went to translate. I was brought directly to a translation:

IE 8 Activities Providers Translate

Another interesting feature is in the address bar. It highlights the domain name, so you can clearly see the exact URL you are visiting:

IE 8 Address Bar

This is the first browser Microsoft has released that is standards compliant. This comes at a cost, since not all websites are. For example, when I went to blogger.com some of the buttons were not aligned, and the subject edit box was missing:

IE 8 Some Sites Broken

This can be easily fixed by switching to IE 7 Compatibility mode:

IE 8 Emulate IE 7

It is an interesting release. I suggest checking it out.


Posted By: Steve Wiseman on Friday, March 14, 2008

Check out our utilities for windows

 
Home|Downloads|Products|Blog
Copyright © IntelliAdmin, LLC, 2008. All Rights Reserved
Privacy Policy