In recent years, the frequency of unauthorized actions into information systems (IS) is constantly increasing, which inevitably leads to huge financial and material losses. There is an interesting fact; more than half of all violations committed by the company’s employees, i.e. internal IS users. It is known that last few years, IS protection from insiders is mainly provided by specialized tools of the differentiation of user access to information resources. With the help of these tools to each user are assigned specific rights, in accordance with this it is permitted (or prohibited) local access to information are stored in computer, or remote access via communication links to information on other computers1 . Still it must be noted that this approach does not solve the whole problem of information sources protection from intruders are operating inside IS. This is caused by two main factors: x Tools of differentiation of local access are not able to provide protection against the actions of offenders who are not directly related to obtaining unauthorized access to information system resources. For example, the user can intentionally install and run the malicious software on own workstation that allows to capture and analyze network traffic in the IS. Another example of the unauthorized activity when protection can’t be ensured by tools of access control is data recorded to external devices or the printing of confidential information to which the user has legally access. To identify such actions in IS should apply the system of workstation active monitoring x The tools of differentiation of remote access does not provide protection from network attacks that can be performed by internal users of the system. Such attacks are based on vulnerabilities that may happen in software-hardware server and desktop stations of IS. Examples of vulnerabilities are unstable passwords, incorrect software configuration, errors are presented in the application software, etc. The success of the network attacks can lead to a breach of confidentiality, integrity or availability of information in the system. To timely detect and block such attacks should be used detection tools, known as IDS-system (Intrusion Detection Systems)2 . On this basis, it should be highlighted the main tasks of research: x The development of organizational measures are needed to meet the requirements of data protection, organizational and administrative documentation projects x The ensure compatibility of hardware and software processing tools of data protection on the protected workstation with installable protection tools in compliance with the requirements for the configuration mechanisms of closed software environment, and flow control (mandatory access) x The organization of complex schemes of information backup to external devices x The development of the efficient schemes of the operational and centralized management of configuration x The development of regulations to ensure continuity and rapid recovery of functioning of the object of protection in the presence of a complex server groups, including the secure server and domain controller, database, a management server anti-virus tools and file server Thus, the effective protection from insiders of information security requires the use of additional forms of protection, such as workstations active monitoring, as well as intrusion detection systems