Comings and goings II
We appreciate feedback from readers and users. It keeps us and our tipsters on our toes. But this one required some further discussion, and so we solicited a reply from tipster Adesh Rampat.
User Mark E. Rohrer writes as follows. "[The tip] 'Tracking comings and goings,' by Adesh Rampat, [posted on] 13 Nov 2001, deserved the one that I gave it, and would have received a negative rating if possible due to the damage it may do to innocent people if the tip is taken at face value. It is not enough to look at the event code for logons (528), but the "Type" must also be analyzed. For physical logons and logoffs, Event Codes 528 and 529 of Type 2 are the defining events. Other common types are 3, [which] normally occurs when a user makes a network connection such as mapping another network drive, and 7, [which] indicates a system was unlocked (such as when a screensaver that locks a workstating is unlocked). Without the added 'Type' guidance, more damage than good was offered, and can lead to company liability in judicial cases if investigators take the tip at face value.
Adesh Rampat replies: "This article was written not to override or go against any legal policies and not to be used as a sole criterion in monitoring employee activities. As part of a security policy, employees should log off from their workstations at the end of the workday and should not be using screen savers (with password protection) when they leave their offices. [But if that is not the case, then] during the course of the working day the "Type" may come in handy, especially if you wish to monitor the additional issues mentioned."
We thank Mr. Rohrer for his amplification, and Mr. Rampat for his further elucidation.
David Gabel is the executive technology editor of TechTarget.