Re: Possible Intruder - Help urgently needed

From: Daniel Billingsley (dbillingsley@NO.durcon.SPAAMM.com)
Date: 02/20/03 

From: "Daniel Billingsley" <dbillingsley@NO.durcon.SPAAMM.com>
Date: Thu, 20 Feb 2003 13:32:31 -0500

Well, the audit policies seem like a given at minimum so you'll have some
better info if they do it again (including knowing for sure they had done
something). You could also look at Snort which is pretty good but free
Intrusion Detection System.

And changing the passwords if you even think they possibly have been
compromised is a given as well.

With such a small network I think the intrusion would leave quite an obvious
trail.

"Emdee" <mikeDONTSPAM@webheat.co.uk> wrote in message
news:3e55134c$0$14792$afc38c87@news.easynet.co.uk...
> Well that's the thing, nothing mallicious seems to have been done, hence
the
> Possible in the subject line.
>
> It's possibly happened before, the only destructive thing is the policies
> being deleted.
>
> Other that that all seems well.
>
> "Daniel Billingsley" <dbillingsley@NO.durcon.SPAAMM.com> wrote in message
> news:ORSa7VQ2CHA.2188@TK2MSFTNGP09.phx.gbl...
> > Uh... I think I'd start with unplugging the internet connection.
> Seriously,
> > if you are that kind of a breech you need to take drastic action
> immediately
> > IMO.
> >
> > Then I'd probably change the administrator password to something strong.
> >
> > THEN, you can start worrying about the who and where. Maybe get some
> audit
> > policies going to track when and where they're attaching, if you haven't
> > stopped them with the above steps. That is, unless you want to leave
your
> > entire network as a honey pot in attempts at catching them.
> >
> > "Emdee" <mikeDONTSPAM@webheat.co.uk> wrote in message
> > news:3e550c96$0$14787$afc38c87@news.easynet.co.uk...
> > > I believe I may have an intruder in my network on 7 Win2K machines (2
of
> > > which are DCs).
> > >
> > > I believe the intruder is doing the following:
> > > -Modifying the accounts of Administrator and Guest(disabled)
> > > -Possibly making some Security Policy changes
> > > -Afterwards clears up by deleting the alters Security Policies from
> Sysvol
> > >
> > > What I need from your guys in some help in working out how they're
> getting
> > > in.
> > > What should I be looking at to find there entry point??
> > >
> > > I need this help like yesterday so the quicker the better.
> > >
> > > Thanks all
> > > Mike
> > >
> > >
> >
> >
>
>

Relevant Pages

  • GPEDIT.MSC - Greyed out sections!
    ... Running GPEDIT.MSC, under Computer Configuration, ALL account policies and ... under Local Policies, ALL Audit Policies are grayed out! ...
    (microsoft.public.windows.server.security)
  • RE: Mass Distribution of Security Policies
    ... It could start with a Network usage agreement, (Advisory Policy) to all ... Mass Distribution of Security Policies ...
    (Security-Basics)
  • Re: Force local policies
    ... 1000+ policies that might be enforced by a domain it's a bit daunting ... automatically login and forget about it. ... separately from the rest of the network. ... enforcement of certain local policies. ...
    (microsoft.public.windowsxp.embedded)
  • Re: Client End Firewalls
    ... > policies and such, ... >> protected by a PFW. ... > on a post-it note) can't be jumping into Jane's network share even ... connections on a per-IP-basis. ...
    (Security-Basics)
  • Re: Force local policies
    ... E.g., well-known 'look&feel' related policies of Explorer to provide user access to some system folders or, even more, hide/show ... This is often used in domain environments by administrators as a way to protect workstations from a mess that end user ... If local policies came first, ... administrators wouldn't have a way to protect the network from "curious users". ...
    (microsoft.public.windowsxp.embedded)