ISA naughty reports in SBS 2003 [Windows Small Business Server 2003 Best Practices book excerpt]

G’day mates – Harrybbbb here on his thrid cup of cofeeeeee….

I hold a daily virtual book reading where I post up a passage from one of my books. This is a favorite section in detecting naughty behavior in ISA in an SBS 2003 world! Beware earthlings – we can watch you and everything you do on your Windows Small Business Server 2003 network! 🙂

 

cheers…harrybbbb

Harry Brelsford, CEO at smb nation www.smbnation.com

Microsoft Small Business Specialist SBSC, MBA, MCSE, MCT, MCP, CNE, CLSE, CNP

PS – did u know I host a technology conference in the New York City area each spring? Save the date for March 6-8, 2009 and watch “voice meet data” in the SMB space!

PPS – my SBS 2008 book will be out in mid-November 2008!

PPPS – my Microsoft Response Point Primer book is here NOW!

Naughty Reports

Some of my SBS clients are control freaks and want to snoopervise users on Internet usage. Some are motivated by deeply held beliefs that viewing pornographic sites is simply wrong and immoral. Others have financial motivations that employees should work, not play, during business hours at their place of employment. With this second group of control freaks, they often don’t care what you do with your own computer at home on your own time.

Granted, these reports were best presented in the SBS 4.x era as a button-click away via the management consoles, but as you’ll see here, these reports, while hidden, can still be found and well used. What occurs is the reports are built using the nearly unreadable raw Internet activity data, shown below (Figure 13-19), and then the data is massaged and an attractive report is the result! Note that the SBS 4.x versions actually used a run-time version of Crystal Reports to render the naughty and nice reports.

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

Figure 13-19

The raw reports that hold the secrets as to who (individually) has been naughty or nice on the Internet. But, alas, the reports are hard to read.

BEST PRACTICE: If you must, you can view the raw ISA Server logs at::

%system drive%\Program Files\Microsoft ISA Server\ISALogs.

Rumor has it there are some great third-party parsing tools to present this raw data better. See the ISA Server 2000 Web sites I refer you to at the end of the chapter.

First, you must create a report job. Perform these steps.

1                    Log on to SPRINGERS1 as Administrator with the password Husky9999!.

2                    Click Start, Server Management.

3                    Expand the ISA Management snap-in (assuming you modified the console earlier in this chapter).

4                    Expand Servers and Arrays.

5                    Expand the SPRINGERS1 server object.

6                    Expand Monitoring Configuration.

 

Chapter 13 Premium Security: ISA Server 2000

 

7.         Right-click the Report Jobs folder and select New, Report Job.

 

8.         The Report Job Properties dialog box appears. Type SPRINGERS Naughty and Nice Reports in the Name field.

 

9.         Select the Period tab and select Monthly.

 

10.       Select the Schedule tab and select Immediately.

 

BEST PRACTICE: It is on the Schedule tab that you could have the report run every day at a specific time. You could elect to generate the report only once per month. For the SSL methodology, you have selected the option to generate the reports immediately so you can see your reports instantly.

11.       Select the Credentials tab and complete the three fields that are dis­played. In the Username field, type Administrator. In the Domain name field, type SPRINGERSLTD. In the password field, type Husky9999!.

BEST PRACTICE: In the Domain field of the Credentials page, you will type the internal NetBIOS domain name, not the external Internet domain name. This is very clear, but you can prove it by trying to type SPRINGERSLTD.COM and observing that the field isn’t wide enough to accommodate this entry.

12. Click OK to close the Report Job Properties dialog box. Next, surf to the naughty and nice Web sites of your choice. A nice site to consider is one of my favorites, http://www.smbnation.com. Then complete these steps to look at the naughty and nice reports.

1                    Log on to SPRINGERS1 as Administrator with the password Husky9999!.

2                    Click Start, Server Management.

3                    Expand the ISA Management snap-in.

4                    Expand Servers and Arrays.

5                    Expand the SPRINGERS1 server object.

6                    Expand Monitoring.

7                    Expand Reports.

 

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

BEST PRACTICE: Even though the report job is displayed in the details pane when you click on Reports, you can’t launch the naughty and nice reports from here. Move on to Step #8.

1                    Expand Summary and double-click the SPRINGERS Naughty and Nice Reports entry. An IW Web browser is launched that displays the Array Summary Reports.

2                    Click on the Top Users link on the left. As seen in Figure 13-20, NormH is the top user.

 

Figure 13-20

NormH just edged out the Administrator as the top user in this example.

10.       Click on the Top Web Sites link and compare to Figure 13-21. It appears some Web surfing has been nice, such as entries number two (www.microsoft.com) and number seven (www.cbsnews.com). How­ever, some surfing has been naughty, as in entries number three (www.penthouse.com) and number ten (www.playboy.com).

Chapter 13 Premium Security: ISA Server 2000

Figure 13-21

Some SBS users have been naughty and some have been nice, if you look closely at the URLs of the Top Web Sites report.

BEST PRACTICE: What the naughty and nice reports do not do is relate which user was naughty and which user was nice. That is, the Top Web Sites report shows total hits as an SBS network, not by individual. To find out which specific user has been naughty, you’d need to look directly at the ISA Server logs shown earlier in Figure 13-19.

11.       Selecting the Cache Performance link shows a pie chart of how many hits are drawn from cache. This is displayed in Figure 13-22.

Notes:

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

Figure 13-22

In the case of SSL, the Cache Performance report indicates that most hits are returned from the Internet, not cache.

 

12.       Click the Traffic link to display the Traffic report. This shows traffic over a range of dates.

 

13.       Click Daily Traffic to observe traffic by time of day for a specific day. This is shown in figure 13-23.

 

Notes:

Chapter 13 Premium Security: ISA Server 2000

Figure 13-23

The Daily traffic report is very valuable to observe when most of the Web surfing activity is occurring. For example, too much Web surfing over lunch might indicate horseplay by the employees at the firm.

BEST PRACTICE: Matter of fact, I’ve used the Daily traffic report to exonerate the wrongly charged in organizations more than to obtain convictions for naughty behavior. Here’s what I mean. An employee is suspected of surfing the Web for pornography on a company workstation. Perhaps this was determined by a supervisor viewing the History folder in Internet Explorer. But upon closer scrutiny, it might be revealed that the employee had left a workstation logged on each night and there was unusually high traffic at 1:00am when the janitors perform their work. I’ve now introduced reasonable doubt in the equation and allowed the shaken employee to retain his job. Whew!

 Visit http://www.microsoft.com/technet for the latest updates for any Microsoft product.

Advertisements

Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s