Re: tracking an internal user.

From: SvS (perltech@mynet.com)
Date: 12/04/02 

From: "SvS" <perltech@mynet.com>
Date: Wed, 4 Dec 2002 17:47:40 -0500

Dennis,
Thanks for the reply. I've configured Network Monitor and started capturing
packets.
I'll be catching him no later then tomorrow.
Thanks a lot again,
Stevens.

"Dennis Houchin" <Dennis@_NOSPAM_adhocis.com> wrote in message
news:uwkEqP3mCHA.2280@TK2MSFTNGP10...
> Hello,
>
> You can use the the standard Network Monitor that comes with NT/2000 from
> the server to track server access attempts. This will show not only the IP
> but also the MAC address which will give you further evidence of the
> originating machine. It will also show you exactly what the attacker is
> trying to do. You can save the logs and cross-reference with any employee
> or building access logs, just in case legal action is indicated.
>
> If he's hacking into other systems on the network, other than the server,
> you can get the enhanced Network Monitor that will let you capture all
> network traffic.
>
> Dennis Houchin, MCSE CISSP
>
>
> In news:OP2u1#2mCHA.672@TK2MSFTNGP08,
> SvS <no.spam@spam.com> typed:
> > Guys, Our main file server is being internally attacked by one of our
> > users. He intentionally changed his computers hostname to my
> > computers hostname as if the attacks are being originated from my
> > computer. Unfortunately, I could only see his username( mine of
> > course) and the bogus hostname of the connecting computer from the
> > event wiever( which I audited to log the bad attempts). I need to
> > ,somehow, see his IP address as well. This is the only way I can
> > track him down. I'm looking for IDS's over the internet but I
> > couldn't find anything suitable for a such situation. Basicly, a
> > small software logging the IP address of every connection attempt to
> > the server, would be great. Any ideas be greatly appreciated.
> > Thanks.
>
>

Relevant Pages

  • RE: Exchange 2007 in a domain using Kerberos Realm authentication
    ... If you think the log from Exchange 2007 server ... Outlook 2007 uses Autodiscover every time the program is launched ... Download Network Monitor 3.1 from the following link: ...
    (microsoft.public.exchange.setup)
  • Re: Remote User Access refused
    ... I would like to show detail steps to use Network monitor ... Install the network monitor utility on the SBS server and the client ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: tracking an internal user.
    ... You can use the the standard Network Monitor that comes with NT/2000 from ... the server to track server access attempts. ... He intentionally changed his computers hostname to my ...
    (microsoft.public.win2000.security)
  • RE: File Replication with DFS
    ... I understand that you want to synchronize the ... files in shared folders between three servers including one SBS server. ... we can use Domain DFS to deploy the file replication. ... Capture WAN Traffic with Network Monitor in Windows ...
    (microsoft.public.windows.server.sbs)
  • Re: cant connect to VPN externally
    ... There is tool called "Network Monitor" which comes with Windows 2000/windows ... > How do I set the server to sniff for PPP packets? ... This seems to be more of routing problem rather than VPN ... >> packets to see if problem lies on your machine or NAT router. ...
    (microsoft.public.windowsxp.work_remotely)