Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 020244.html (Request Expert securityfocus.com Support)

Re: Tracking a (potential) abuser?

From: ktabic <lists(at)ktabic.co.uk>
Date: Thu Feb 13 2003 - 11:59:15 EST

>Some suggestions:

Do your students have student cards? I refuse to change the password if they don't have either a student card or a drivers license

>2.) Reset the local administrator password on all machines (Can this be

Well, the college I work at, I leave the local machine administrator as an administrator, but only so that I can get admin privs when a machine isn't on the network. However, I have a vbscript that sets a different randomised password for the administrator account on each workstation. Also, the local administrator account has no privs at all on the domain. Related to this, admin accounts on my network have extra parts to thier logon script, that automatically mails me the username and machine name the moment they log onto a machine. I frequently know where they are logging on before the logon script has finished running.

>3.) Mercilessly reduce the number of Admins in your domain.

The NT4 domain I inherited had 18 users with admin privs. This was brought down to 2 (MIS manager and his assistant, simply so I didn't have to go installing the db client on machine. They could do it) One of the techniques used to reduce this number was to crack the various admin users passwords. Presenting a list to upper management stating these accounts, can be taken over by a student in 24hrs or less sometimes scares the bosses into agreeing with you. Also stating things like: Why do they need admin privs? Are they iin charge of the backups? Do they fix machines when they go wrong?

>4.) Inspect each global group for permissions and memberships

Do you need help?X

This part can take time, the first time round. But is worth it, as you can then monitor the groups for changes with more ease. The automatic group monitor that (was) runnning each night here, spotted a change in members of the domain admins account less than 24hrs after it happened.

>5.) If you can localize the misuse/abuse to a few workstations or

>Hi all,

This is taken, on my network, to be an indicator that they are trying to hide stuff. Usually it is an instant messenger app of some sort (all instant messengers and IRC clients are explicitly banned in the AUP). Any complaints made about the change in permissiongets the response: interfering with permissions cause some of our programs to fail (a userarea size monitoring program) and the permissions are reset to stop this interference.

> Now, this is as close to a "smoking gun" as I have. I'm trying


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Feb 14 09:43:23 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library