Video Screencast Help

Can I know which websites are visited by an user from SEPM ?

Created: 06 Jul 2009 • Updated: 21 May 2010 | 20 comments
This issue has been solved. See solution.

Can I know which websites are visited by an user from SEPM ? may be through Network Application Monitoring or any other settings.

Discussion Filed Under:

Comments 20 CommentsJump to latest comment

pete_4u2002's picture

hi,
i do not think so. You can set exception for iexplorer.ese but you willnot come to know which sites the SEPM machine user tried to communicate. It's not URL filtering application.

cheers
Pete

Sandeep Cheema's picture

You can make a rule with the action as "ALLOW" for the application iexplore.exe and set to log it, say in the traffic log. When you pull up the log from "Monitors>Logs", You can track their activity.

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

SOLUTION
Sandeep Cheema's picture

If you log it, It will log it :)

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

Bijay.Swain's picture

Thanks Sandeep

It is working. and the log also showing the websites visited.

Thanks again

profman's picture

Try a squid proxy server.....it is free and once you lock everything down, you can easily set up a web frontend to enable monitoring and run reports.....similar to the SEPM, but for web traffic. SEP can be buggy for this task, as all a user needs to do is log onto another computer if you are managing clients instead of users.......

Bijay.Swain's picture

We have squide proxy server on another server which is maintained by other agency . I just want to know who is doing what on internet and why so many threats are entering to our network.

ShadowsPapa's picture

It's not showing JUST the web sites visited, but the address and URL of every single web server that has a connection TO that web site! Examples include advertising servers, ebay, thousands of others, so please don't assume or accuse users based on the SEP logs - it's not smart enough to tell you if they VISITED the site, or if a page they DID visit had some picture or image or ad, etc. on the site they did visit.
I see thousands of hits to ebay in our logs each week - the problem is that none of our users are going there!
I do a lot of forensic work and those hits SEP logs are typically because Google or some search engine had a thumbnail or something on their site. Our users use Google and Yahoo a lot and a visit to a single Yahoo or google search can fill the SEP log page.
I'd never rely on that SEP log, and certainly don't base someone's job or reputation or disciplinary action based on that . you'll lose!

Bijay.Swain's picture

yes i also found that. but still want to see the logs for some days.

Bijay.Swain's picture

One thing I noticed that If the client is using any proxy connecion then the log is not showiing the website address he visits instead shows the ip address of the proxy server and port no.

How to log the website address when a client uses proxy connection.

Paul Mapacpac's picture

Hi Bijay, better do it on the proxy, try to use SARG as the reporting.

Bijay.Swain's picture

I know Proxy log is bettwer but can it be monitored through SEP ?

Paul Mapacpac's picture

It cannot be monitored using SEP, SARG has a page for all of the reports.

Sandeep Cheema's picture

All that you can do from SEP is to block the proxies....If they use that, I don't think it's possible to track the visits.

De facto when AV does something, it starts jumping up and down, waving its arms, and shouting...

"Hey!  I found a virus!  Look at me!  I'm soooo goooood!"

ShadowsPapa's picture

We don't allow proxie use, period.
There's but one reason folks here would use a proxie, and if they need to do that, they need to work elsewhere.

profman's picture

The use of a proxy is not just hype: it is a elemental secuirty practice. SEP 11 is an excellent tool for protecting the end user from incoming traffic....but it cannot do everything. a proxy server will filter content, log access requests, denials, and with the proper front end, will chart your usage by user. In an AD environment with, SSA, the proxy can be transparent, with Altiris Notification Server, you can track web usage without ever letting the end user know it.....by simply importing the MAC addresses related to the asset tags that your users are assigned in the Inventory Solution. A proxy also protects your organization from federal lawsuits by catching internal misdemeanors before they grow out of proportion. The truth is that a proxy is the only sensible solution to securing, logging, and tracking web access these days.

So ShadowsPapa, I would agree with you that if you do not use a proxy and have no intention of doing so, then for your users' sake, they need to work somewhere else. One cybercriminal that cannot be quickly pinned to anyone in particular is a menace to the good names of everyone else.....SEP protects the clients from the outside world.....Proxies integrate accountability.

ShadowsPapa's picture

I guess you took that wrong - I'm referring to PROXIES as used by END USERS to get around SECURITY and tracking.
WEBSENSE, for example, is a GOOD proxie, however, there are end-users who would get around such things by using alternate browers and/or proxies.
I'm referring to rogue users using proxies to bypass OUR security. And those people exist. Look at some of the threads here - where admins are attempting to block the use of proxies because they work AROUND corporate or gov't protections. Use of proxies for good is great, but too often, those "free proxies" or "free proxie servers" are to thwart TRACKING and accountability! What? ME? No, I never went there, just check the logs!
See my statement was "we don't allow proxie use" - however, as IT admin, we will be using proxies to watch what they are doing and filter content AND block non-work related sites as needed or necessary.
I stand by "we don't allow the use of proxies" just like we don't allow software installations - EXCEPT by IT.
If someone is found using a proxie to get around our firewalls or filtering or security, they might just end up working elsewhere.
For myself as a network admin, we're looking at pulling a free Linux based proxie solution for filtering and security.

There are good proxies used by the forces of good and proxies used by those with evil intent, sneaking around the web without us knowing.

profman's picture

Sorry, I did. It sounds like what you need is an inventory solution to tack down those rogue apps. Altiris has an excellent one, btw. 

ShadowsPapa's picture

>>profman 15 hours 45 min ago
Re: I guess you took that wrong
Sorry, I did. It sounds like what you need is an inventory solution to tack down those rogue apps. Altiris has an excellent one, btw.
<<

Yeah, I think we need to look at more such things.
I'd like to take a look at Symantec's deduplication technology and backups, too.
Our current so-called "solutions" are costing arms and legs  not only in $$ but in people, too.
We use "SMS" to inventory, but you have to tell it what to look for according to the person who runs that here. I personally think it's a joke.

Nel Ramos's picture

You could also use the IEHistoryView v1.37
Copyright (c) 2003-2008 by Nir Sofer.

So as long as they had not deleted the history then you could use this..

thanks...

Nel Ramos