Who's Doing What On My Network?

I was away for a few days this week on customer sites and a common question that came up was around finding out what a particular individual was doing on the network. In some cases the query was around web usage and in others the query was associated with bandwidth usage.

There are many sources of user data on networks, the main ones for me are:

  • Server and application log files
  • Network traffic
  • Profile information on computers and laptops
  • Network switches

These data sources are only useful if you have logging enabled. The most important one is that you capture and store where users are logging onto your network. If you use Microsoft Active Directory, then this information will be stored on your domain controllers once you have logon auditing enabled. I recommend that you should capture these log files on a regular basis and store them on a single system. The main information you need from these logs is usernames, time of logons and the IP addresses of client systems. The IP address information is needed, as other systems on your network may not log usernames and use IP addresses instead.

Once you have a record of all logons onto your network you should then look at capturing application logs and data. For most networks, monitoring file shares, network traffic, databases and Internet usage is sufficient for user monitoring. If you are focusing on data compliance standards you will need to check if you need to monitor other data sources.

Monitoring file shares

There are a couple of ways you can monitor who is accessing files and folders which are shared on the network. One method is to enable auditing on servers which host file shares. However, my experience has being that this fills logs very quickly so you need to be careful that you don't overwrite the data you need when the logs get full. The second method involves locating your network core and using a deep packet inspection system to capture the file access activity from network traffic. This is probably the least disruptive way to get this data. Finally, you could also install software on your file servers which will do the logging. You just need to make sure you install it on all servers and check that it does not impact on server performance. Whatever system you choose a good test is to see how quickly you can find out who deleted a specific file from the network.

Monitoring network traffic

Network traffic and users sometimes seem poles apart. Network traffic can be broken down to IP addresses and MAC addresses and it can be hard to associate it with usernames. Getting network traffic is straightforward. You can enable port mirroring on your core switches or you can look at getting flow information from both switches and routers. There are many applications out there that can process this network data. Free tools usually focus on current activity where more commercial ones will keep a historical record as well. The key to mapping this network activity to a user name should be found in your logs which store user logons. For example, if my network monitoring system detected IP address downloading huge volumes of data at 10:05 this morning, I would check the logon events for the last user to logon to the network prior to 10:05 with that client IP address.

Network switches will contain information as to what devices are connected to what port. You can track an IP address down by looking at MAC tables but it can take time. Once you track the IP address, you can get the username by checking logon events. Recently a number of products have come out which automate this process.

Monitoring databases

Database monitoring is very much like file activity monitoring. You can look at log files, extracting the information from network data or you can install agents on the database servers. If you use log files or agent software, make sure the log files have plenty of disk space. Also monitor server resources using a network monitoring tool so you can make sure the logging is not impacting on server performance.

Monitoring Internet usage

Monitoring Internet usage is not all about a big brother approach where every web site accessed is reviewed. Most networks managers that I speak to adopt a fair usage policy. If someone is downloading large amounts of data or watching TV shows online, then it is highlighted as this can slow things down for everybody else. Monitoring Internet usage can also be useful for detecting zombies on your network. If someone's system is infected with malware then you need to monitor what sites it's trying to connect to.

Another common request I come across is people from outside of IT looking for an Internet report associated with a particular individual. Usually it will be something like "can I find out what that user was doing between 2PM and 4PM last Friday".

You can start monitoring Internet activity by setting up logging on your proxy or Internet filtering server. As with all logging, make sure you have enough space and it does not impact on server performance. This information can also be captured from network traffic; you just need to get a deep packet inspection system which can extract website information from network packets. Finally, make sure you are also monitoring your Internet connection for any users who may have found a way to bypass your proxy or filtering system.

In summary, I recommend that you start to monitor what users are doing on your network. Start off with the simple things like keeping a log of who is logging on, and to what systems. You can then start to extend monitoring to include file shares, databases and Internet activity. For a single-pane-of-glass-view of network activity, you should be able to access all of this information from a single interface. Integration is an important consideration if you have multiple systems collecting the user activity data.


Darragh Delaney is head of technical services at NetFort Technologies. As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service.

Subscribe to the Security Watch Newsletter