Hosting Provided By

Re: Tracking a (potential) abuser?

From: Jason Powell <Jason.Powell(at)cchmc.org>
Date: Thu Feb 06 2003 - 15:21:21 EST

1.) Manually reset passwords on all privileged (i.e., more than a "Domain User"). Positively identify every individual requesting a password change on those accounts.

2.) Reset the local administrator password on all machines (Can this be done with AD?), ensure that only "Domain Admins" are members of the Local Admins group.

3.) Mercilessly reduce the number of Admins in your domain.

4.) Inspect each global group for permissions and membership.

5.) If you can localize the misuse/abuse to a few workstations or servers, make judicious use of Spectorsoft Pro (monitoring software).

Do you need help?

/sig/
Jason A. Powell, CISSP
Senior Systems Analyst

Children's Hospital Medical Center
Information Services Security
(513) 636-1499
jason.powell@cchmc.org

>>> "Ralph Los" <RLos@enteredge.com> 02/05/03 10:25AM >>>
Hi all,

First time poster, long time lurker.

I'm doing some work for a school which has approx. 1,000 users (students + staff) sharing the same Win2k-AD network resources. Windows
permissions, shares and passwords are obviously not strengthened (why would
they be, that would make this easy!) so there are suspicions that students
are running rampant on this network. I was asked to come and investigate
for signs of mis-use, abuse, or "hacking". What I DID find was a student's
directory which had *explicit deny* for the administrators group to all
rights. I had to go and "take ownership" to get a view into this student's
directory.

Now, this is as close to a "smoking gun" as I have. I'm trying to
"catch these student(s)" in the act but it's difficult because, as I said to
the principal, how do I distinguish between an administrator using their
account and a student who's guessed their password??

The real request here is this: How would one go about analyzing a
live system like this? I can't arouse too many suspicions as I was asked to
catch the person/people involved in this activity. Where would you start?
(I've turned on Windows object auditing pretty heavily, but that's a monumental task sifting through all that data!!). Any real-world experience
or suggestions for a Win2k network would be most-appreciated!

/Ralph/

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Feb 6 21:24:29 2003

Do you need more help?

This message: [ Message body ]
Next message: H C: "re: Tracking a (potential) abuser?"
Previous message: Tom Bowers: "Re: Tracking a (potential) abuser?"
Maybe in reply to: Ralph Los: "Tracking a (potential) abuser?"
Reply: ktabic: "Re: Tracking a (potential) abuser?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT