Sometimes somebody from a manual accesses to the system administrator with a question, whether it is possible to learn, than employees on the workstations, or are engaged “advanced” users are interested for the same system administrator, whether it is possible to learn, whether observation of their operation on the computer on a workstation is carried on. Given article helps to answer these questions.
We have already got used that the task of the control of working hours of employees of firm dares the resources of video observation providing protection of perimetre and premises. When speech comes about the control of operation of employees of firm on computing resources of the corporate automated data reduction systems, problem solving of protection of perimetre becomes not so actual. In these applications it is already necessary to carry out the control of operations of the authorised users (which access to premises and to appropriate computing resources is resolved). And here is how they use the given resources within the limits of performance of the official duties?
For example, the employee gives what share of time purely to performance of the official duties, for what purpose and in what size uses tools of an external network, for example, the Internet, transfers what information by e-mail, what information and for what purpose types in the text editor etc. And after all in many respects this information on the employee allows to draw output on its loyalty and diligence. Perhaps, it in general in vain receives wages and for a long time already sabotages the duties? For solution of all considered collection of tasks in a corporate network of firm computer observation of operations of users can be realised. We will consider in what it consists and as can be realised (on an example of development of Joint-Stock Company “ Scientific-Production Enterprise “Information technology in business”: “System of operative tracing “The armour”
for Windows OS 2000/XP/2003” and developments of the company “NetworkProfi” LanAgent
What is the computer observation?
For information processing on a computing resource (on the computer), for operation with computer resources, the mapping resource – the screen monitor is necessary for the user. The screen copy represents moment mapping (picture) of operations of the user on the computer. With the registration of that solution of an overwhelming part of tasks on the computer is impossible without a resource of mapping (screen monitor), the control of operations of users on protected objects of a corporate network of firm, as a rule, assigned to the manager of safety, can visually be carried out, by means of collection and processing of screen copies (pictures), as represents itself the task of computer observation.
The common requirements to implementation of system of computer observation
Starting creation of the computer system of observation of operations of the user, first of all, it is necessary to be defined with what can be requirements to similar system. We will try to formulate them:
- The system is realised for usage in a corporate network in which some tens, and even hundreds users simultaneously can work. I.e. simultaneously it can be demanded to inspect operations of several users on various computers in a network. Therefore, the system of computer observation should have the network architecture and allow to receive to the manager screen copies from controllable computers on a safety server – some separate computer on which the automated workplace of the manager of safety should be realised. Secondly, the automated workplace of the manager of safety should allow to display simultaneously the screen copies received with several (in a limit, from unlimited number) computers;
- We take up a position system of computer observation, as a unit of protection of the information which basis possibility of operative reaction to the fixed critical events a priori should make. Similar it is possible only in that case when the control is carried out in real time;
- Whereas in a large-scale corporate network it can be demanded simultaneously to carry out observation of a great number of users that will not allow to display visually simultaneously screen copies from their computers on one screen monitor of Armagh of the manager, the mode of automatic collection of screen copies from the specified computers on a server of safety with possibility of their subsequent review on demand of the manager (a processing interactive mode) should be provided;
- Screen copies in itself have enough great volumes, their collection simultaneously from a great number of controllable computers can essentially affect loading of a basic network the actions, called to reduce the given influence, therefore, should be provided.
It is possible to carry the following to similar actions:
- There is no necessity to carry out the control in real time of all operations of the user. Usually interest represents observation of its operation with quite certain applications, for example, with network applications (access to an external network). Therefore one of control conditions in real time is activity of the concrete application, will specify, activity of an appropriate window of operation with the application (on the computer some applications, but a window only one application always actively simultaneously can be started is a window of that application with which directly and the user co-operates);
- At the control of operation of the user with the application generally there is no necessity for realisation of the continuous control (such function can be necessary, but as an exceptional case which we will consider further), it is enough to carry out the control with any time interval. As the given interval for various applications can strongly differ, it is expedient to have possibility of its job (change) in each specific case;
- At detection of incorrect (dangerous) operations of the user, to the manager realisation of more detailed control can be demanded. With that end in view the toolkit of the selective continuous control of operations of the user on the separate computer should be given to the manager;
- One of the major tasks of system of computer observation is implementation of function of the registration of working hours (collection of statistics of operation) users on the computer. It should be carried out by means of collection and the analysis of statistics of operation of the user with applications that can be correctly realised by means of collection and the analysis of statistics of activity of windows of applications.
Implementation of system of computer observation on the basis of system of operative tracing “The armour”
As an example of implementation of system of computer observation we will consider “System of operative tracing “The armour” for Windows OS 2000/XP/2003”. The interface of Armagh of the manager realised on a server of safety, is presented in a figure 1.
|The figure 1 – The interface of Armagh of the manager|
The system allows to carry out in real time the simultaneous control (remote echoing of a server) screen copies from any quantity of computers as a part of a corporate network of firm that is carried out in a separate window of Armagh of the manager of safety, the figure 2 see (in any sense it reminds video observation systems, where on one screen monitor in corresponding “squares” various controllable objects) are simultaneously displayed.
In the given window of the interface of the program maps of screen copies from various remote computers which will be refreshed in real time at appearance of a new picture can be grouped some (generally – any quantity, all depends on the screen monitor of a server of safety). Open windows can in the various way be grouped, for each window it is possible to select the browse mode: full-scale, or in scaled on the value of a window of the program sort.
The same window is used and in that case (for those controllable computers) when screen copies are not displayed in real time, and are automatically gathered on a server, for the purpose of their subsequent review by the manager in an interactive mode (by its inquiry). At item choice “Open a screenshot” it will be offered to select the map for review (the given maps are saved in various directories for various computers, the screenshot is stored in each file, the file name contains time of reception of a screenshot for a server). Transition between maps in the directory can be carried out buttons “Page UP” “Page Down”.
|The figure 2 – The window of mapping of screen copies|
Now some words about customisation of the given system.
In interface section “Screen shots” (the figure 3 see) for selected (in the system interface, the figure 1 see) the computer, it is possible to carry out customisation of a format of screen shots (that format in which pictures will go on a server that also is entered for possibility of lowering of load on a basic network) and as to carry out the job of the list of processes and-or headers of working windows by which operation (activity of windows) there will be a shooting of screenshots (by itself that these and other customisations of system can be carried out far off – from a safety server). The screen copy will act in film and go on a server only in the event that the window of the specified process (application), or window (window title) directly specified in the interface, is active (the user directly works with a window of the specified application).
For the job of an interval (period) of removal of screen copies (after removal, the screen copy in real time goes on a server), and also for the mode job at which I will eat copies will carry out only at activity of windows of separate processes, the interface resulted in a figure 4 should be used.
|The figure 3 – The interface “Screen shots”|
|The figure 4 – The choice “Properties”|
The registration of working hours of the user is realised by system by means of collection of statistics and the analysis of activity of processes and applications (more precisely, activity of the windows, appropriate given to processes – simultaneously on the computer some processes, but always only one window can be started, it is direct with which works the user, is active).
At start of the given procedure of the control, the system registers activity of windows (and change of active windows) in the course of all time of functioning of a controllable computing resource (while the manager makes active appropriate procedure of the control). Mapping a file of audit of change of activity of windows is presented in a figure 5.
Possibilities of filtering and representation of the gathered statistics of the registration of working hours of employees of firm on computing resources of a corporate network are illustrated in figures 6-9.
Using possibilities of a considered subsystem of the control, it is possible to receive statistics on operation of the user with the separate program for an interesting time slice, the figure 6 (all started programs registered by system and headers of windows corresponding to them are displayed in the interface, see the figure 7 where it is possible to carry out a choice of the controllable program) see. Operation time of the user with the given program during set time, and percent of an operating time of the user with the given program will thus be displayed, the figure 6 see.
|The figure 5 – Mapping of a file of audit of system|
|The figure 6 – Mapping of statistics of operation of the user with the selected program|
|The figure 7 – Mapping of processes |
Besides, the manager has possibility to receive the complete statistics on operation of the user on the computer for the set time slice that is customised from the interface, the figure 6 see. Operation time of the user with each program during controllable time (accordingly, those programs which were started will be displayed only), and percent of an operating time of the user with each program will thus be displayed, the figure 8 see. The received statistics can be displayed in the form of the diagramme, the figure 9 see. The similar analysis can be spent for each user (for each account) on each controllable computer.
|The figure 8 – Mapping of statistics of operation of the user for the set time slice|
|The figure 9 – Mapping of statistics of operation of the user for the set time slice in the form of the diagramme|
And, it is literally briefly, concerning implementation of function of continuous observation of the user in real time. As earlier marked, it rather resource-intensive function which is expedient for using at detection of incorrect operations of the user or when its operations are necessary for inspecting continuously. This function by the separate program is realised.
The given program allows in real time far off continuously to display on a server the screen monitor of the controllable computer. For implementation of the given control it is necessary in the interface, the figure 1 see, to select the controllable computer and from the appropriate menu to start the given program.
As the remark we will mark that the considered system possesses also others (rather wide range) the possibilities given to the manager for the remote control of operations of users and for remote reaction to incorrect operations of the user (process end/start, blocking of a current session, the access prohibition to the file object etc.), however consideration of similar possibilities is beyond the present article.
Tracing behind computers in a local area network of firm on the basis of LanAgent
Let's start from that LanAgent, being absolutely invisible (even for considering “the advanced user”), carries out complete tracing behind operations of the user: remembers all programs started on the concrete computer, intercepts the visited sites, watches contents of the clipboard and does screen shots (screenshots). This data is transferred to the computer of the manager and stored in a database unavailable to other users.
Let's consider functionality of program LanAgent.
Interception of pressing the keys of the keyboard
LanAgent remembers all pressings the keys on the keyboard that allows to receive the text typed on it. Special functions of the program, allowing to consider system keys, such as Shift, Alt, Ctrl... And also the registration of language of text entering, simplify further processing of the given information. Following data are saved: event time; a window title in which the text was typed; path to a program executable file in which the text has been typed; the pressed keys and the user name which pressed them.
Since version 3.0, there is a possibility to specify concrete programs, by operation in which pressings the keys will be intercepted. It will allow to avoid casual interception of the personal data of the user.
Removal of screenshots of the screen
LanAgent saves screen monitor screen shots. You can see too the map that the user on the screen monitor saw. Reception of pictures is made as if on command from a management part of the program, and on the set interval. There is a possibility to customise quality of pictures and the maximum size with which they will occupy on a disk. Besides, there is a possibility to specify concrete programs, by operation in which screen shots will be fulfilled.
Monitoring of start and end of programs
LanAgent allows to view starts and closing of all programs on the controllable computer. Are remembered a program window title; a fully qualified path to an executable file; start or closing time; the user name, started/closed the program.
Also LanAgent allows to generate the analytical report in which for each user the common operating time and time active operation will be visible In each program.
It is necessary to mark that, since version 3.0, there was a possibility to lock start of certain programs on the computer of the user.
Interception of messages ICQ and Mail.ru Agent
Intercepts all messages ICQ from any icq clients (ICQ, QIP, Miranda), and also messages Mail.ru agent. Time of sending or message reception, and also message type (entering or outgoing) are thus saved a message text, UIN a customer address for ICQ and a name of contact for Mail Agent. Report wizard LanAgent allows to generate the analytical report showing to statistican on correspondence of the user with each of contacts, and also quantity of the messages breaking installed security policies.
Monitoring of the visited sites
LanAgent remembers all sites visited by the user. The main browsers are supported: Internet Explorer, Opera and Firefox. The following information is saved: URL-address, a window title, time of opening of page. Saving of the visited sites does not depend on, whether the user clears history in the browser. Besides, possibility to make the analytical report in which for each user statistics on visiting a web of resources will be displayed is given: on what addresses and how many time it came, and also percentage of visiting of a concrete resource to a total number.
Monitoring of connection and disconnecting of media
Connection and disconnecting of media (both portable USB disk drives, and hard disks) are inspected. Are thus remembered: event type (connection or disconnecting), connection or disconnecting time, carrier type, its file system and the serial number, a volume label. There is a possibility of the active notification of the expert of safety about connection or disconnecting of media.
Shadow copying of the files copied on USB carriers or edited on them
LanAgent allows to do a shadow copy of the files copied by the user on USB the medium or edited on it. Are thus remembered: event type (a copying file on the disk drive or editing on it), copying time, the file name, its size and, naturally, file.
With LanAgent you can view contents of the files copied by your employees on removable mass storages.
The Control of turning the power on and off of the computer
LanAgent inspects time of turning the power on and off of the computer, an input of the user in system and accordingly an output from it, start ScreenSaver. There is a possibility of compilation of the analytical report on computer operation: time in the included state, time in switched off, time of active operation for the computer, computer down time (when it is included, but on it do not work).
Interception of the documents sent on the press
LanAgent allows to view all documents sent on the press. Are supported both local and network printers. Press time, the name of the printed out document, quantity of pages in the document will be thus remembered; quantity of copies; a printer name on whom the document and the map of the printed out document have been printed out. The analytical report on printers will allow to analyze how many pages and on what printer this or that user has printed out.
LanAgent allows to intercept inbox and the outgoing letters which have received/sent by the user by means of any mail clients: Outlook, Outlook Express, The Bat... will be thus remembered: time of reception or letter sending, from what e-mail it is sent and on what e-mail, a letter theme, letter contents.
Interception of the contained clipboard
Remembers any text copied in the clipboard. Also are saved also a window title in which the text has been copied.
File system Monitoring
LanAgent remembers all operations made with files on the computer: copying, removal, renaming. Operation with files both on stationary disks, and on removable USB carriers is watched.
Installation and removal of programs
By means of program LanAgent it is possible to inspect installation and removal of programs on controllable computers.
Tracing of connections about the Internet
LanAgent allows for connections with the Internet, installed directly from the controllable computer (not through a proxy server) to remember connection and disconnecting time, and also to make time count in the included state.
The Report wizard
Report wizard LanAgent gives resources for the analysis of expenditure of working hours of users for the necessary period of time. It is possible to make reports as simply with the gathered data about activity of users, and the unique analytical reports giving in sort convenient for review the information on activity behind the computer: an operating time and computer idle time, time of active operation in each of programs, quantity of visitings of web resources, and many other things.
Remote installation and removal of agents
In LanAgent there is a possibility of hidden remote installation of an agency part of the program. Also remotely agents can and be uninstalled.
The Invisible operating mode of the agent
Agents of the program are absolutely not visible standard resources of all operating systems of the set of Windows.
The High degree of protection against shadowing detour
The user who does not have the rights of the manager on the computer, cannot what or image to disable the program to be saved of observation.
The Active notification about violations of the set security policies
At violation by the user of security policies, on a management part of program LanAgent (for version Standard) or on the console of the expert of safety (for Enterprise) there will be a window of the active notification, with the appropriate message.
Let's consider the interface of program LanAgent.
The program consists of 2 parts – a user's part (agent) and a administrator part. The administrator part is put on the computer of the manager, and agents on computers of users. Agents carry out monitoring of all operations of the user on each computer, and the administrator part makes the centralised collection of the information on a network (interrogation of agents) that then the manager could all given view on the computer and make the report. By means of a report wizard it is possible to select users for which to do the report, the period for which to select the data, and also types of dens which are necessary for including in the report. The report will be created in a html-format.
|The figure 10 – The main window of program LanAgent 1.8|
- Keyboard – here there is an information on the pressed keys. Record is carried on on windows of programs in which pressing the keys was made. The list of windows – in the table, with sorting according to time. At the bookmark bottom – a window title, path to the program, the user working with it, and, of course, all keys which it pressed. The program can be customised so that characters were shown only, and system keys have been hidden.
- Screenshots – hidden agents know how periodically, with the interval set in customisations, to do screenshots of all screen or active at present windows (it besides is underlined in customisations). All made pictures are saved in a database together with creation time, a window title and the user name. Thus, the owner of the computer needs to select only its interesting record and twice “to click” on it a mouse visually to see that occurred on its PC.
- Programs – this bookmark is intended for review of the information on the one who and when started and closed those or other programs. And on the screen it is displayed not only path to used software, but also header of its window.
- Clipboard – in process of appearance of the data in the buffer the information on it is brought in the table. Here it is marked, in what window operation and who has made it has been fulfilled. At a record choice in the table at the bookmark bottom buffer contents are displayed. It is necessary to mean that you can save clipboard contents not completely, and partially. For this purpose it is possible to instal maximum size of the saved information.
- Files and folders – all changes in a file system also will be fixed: creation, removal and renaming of folders or files. It is possible to watch all file system, and it is possible to specify only a concrete folder for monitoring.
- Computer – this bookmark is intended for review of the information on the one who and when switched on and off the computer.
- Connections with the Internet – all moments of an output will be fixed and presented to the Internet, and also link ruptures on this bookmark. You also can learn, on what connection the output in the Internet was made.
- Visited web-sites – hidden agents remember all sites which were visited by the user. You can see both the reference of page, and its header.
What it is possible to do with broad gulls-files except their direct review? To carry on in them search. Record with which search will start is for this purpose selected, and the string for search is entered. It is possible to instal a case-sensitive search mode.
In the program there is a possibility far off to control customisations of agents. The manager can, without rising because of the computer, to specify to the agents, what operations of the user to intercept, with what interval to do screenshots. Can start or stop far off monitoring, transmit on the computer of the user the text message etc.
|The figure 11 – Handle of customisations of hidden agents|
The Administratorsky part of the program can with the certain interval in advance installed, automatically to interrogate computers of users and to receive from them the information gathered by agents.
Thus, by means of program LanAgent it is possible to watch effectively rationality of usage of working hours employees, to observe of them in real-time mode. But it is not necessary to go too far, perhaps, sense of the program nevertheless in to catching as much as possible “criminals” and to prevent such operations.
Validity of tracing for users
Many users of programs of monitoring are set by questions: “whether lawfully to organise shadowing computers of workers?” and “whether installation of programs of tracing on the computer is lawful?”.
Let's start from that on the computer, from the point of view of the law, you can instal any legal programs. Thus to inform someone of the fact of installation you are not obliged.
As to installation of programs of tracing on computers of employees for observance of validity of such installation employees should be advised, and in written form under a list. It is desirable to bring the item about usage of such programs of monitoring in the labour contract. In it should be specified:
- that all information handled on computers of the organisation, is the organisation property;
- usage of computer, office engineering to suit the own ends is not admissible;
- the organisation has all resources for the control of observance of the given position.
Or it is possible to notify otherwise employees on application of resources for the control of their operation over the computer with a view of support of safety of the confidential information. The main thing that it should be in written form and under a list of the employee.
Thus, possibility of interception of the information, a concerning private life of the worker or its personal data is eliminated.
As to negotiation of usage of programs of tracing with the labour code of the Russian Federation, then the law also on the side of the employer. So, according to item 21, the worker is obliged “honesty to fulfil the labour duties assigned to it by the labour contract” and also “to observe rules of the internal labour schedule of the organisation” and “to observe a labour discipline”. In turn, in item 22 labor code of the Russian Federations among the rights of the employer are specified: “the right to demand from workers of fulfilment by them of labour duties and a solicitous attitude to property of the employer and other workers, observance of rules of the internal labour schedule of the organisation”.
From told above follows that usage by the worker of the equipment (in this case computer equipment) for the purposes which have been not linked to fulfilment of labour duties (including to suit the own ends), contradicts a being labour relations and contradicts such duty of the worker as diligent fulfilment of the labour duties assigned to it.
In summary …
In summary we will mark that computer observation is quite independent task of the control and information protection, and, as purely in the setting, and in realised approaches to solution. Besides considered above the methods grounded on usage of additional programs, it is possible to use built in the server operating system (on a server) utilities for conducting dens of operation of the user, broad gulls billing programs for an assessment of works of the user in the environment the Internet etc. Solution of the task of computer observation allows to receive an objective estimation as efficiency of usage of computing resources of firm, and the objective characteristic of the employee of firm, including, to estimate its loyalty, allowing to answer on a question, interesting almost any director: “Than employees in working hours and are engaged for what they receive wages?”.
1. Scheglov A.U. What do the staff? [http://www.klerk.ru/soft/articles/72726]
2. LanAgent – the program for hidden observation of users in a local area network, the control of usage of working hours and support of informational safety [http://www.lanagent.ru]
The author: Челябэнергопроект
Remarks of experts of Челябэнергопроект: