Re: Catch a hacker?

From: Rich K (anonymous_at_discussions.microsoft.com)
Date: 02/25/04 

Date: Wed, 25 Feb 2004 06:23:53 -0800

I believe they have changed the password, but we want to
catch the lil ***. :)

I don't know about the audit part though. I will ask the
network guys.

Thanks though,
Rich

>-----Original Message-----
>Anyone think to change the admin password, and audit
existing accounts to
>ensure that they're legitimate?
>
>Simple auditing should tell you when someone logs on,
and from which system.
>But as long as you're letting this clown run around,
he/she could just as
>easily disable the audit policy entries.
>
>You have a nice management mess on your hands.
>
>"RichK" <anonymous@discussions.microsoft.com> wrote in
message
>news:13c701c3fba6$4f9eb590$a301280a@phx.gbl...
>> Where i work we have a certain person who has figured
out
>> the Admin network password. So this user gets on and
>> makes some minor changes to the server that cause me
>> problems on the break fix level. I suggested to the
>> network guys to check the Event Viewer and see when the
>> admin signon signed on last and so on. We have a log
of
>> when the person did sign on, but for some reason the
>> network guys didnt have it track the PC name or
>> anything. Is there a way to setup an alert that when
the
>> Admin signon is used again that it will send a message
to
>> one of the network Admins telling them which PC the
user
>> is at exactly or 5 secs from when the user signs on?
>>
>> Thanks for your help,
>> Rich
>
>
>.
>