Re: Catch a hacker?

From: Jim Carlock (anonymous_at_10.10.com)
Date: 02/26/04

• Next message: Fox: "User security 101"
• Previous message: Steven L Umbach: "Re: Create New Recovery Agent Without Domain CA"
• In reply to: Jeff Cochran: "Re: Catch a hacker?"
• Next in thread: Jeff Cochran: "Re: Catch a hacker?"
• Reply: Jeff Cochran: "Re: Catch a hacker?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 25 Feb 2004 19:31:38 -0500

If the guy set himself up as Administrator because he has the
password, changing the password is only one thing that needs to
be done. He could still be grouped with the Administrators,
Domain Administrators, Enterprise Administrators, etc.

;-) Geniusboy!

-- 
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.
"Jeff Cochran" <jcochran.nospam@naplesgov.com> wrote in message
news:403e11ea.1212302288@msnews.microsoft.com...
On Wed, 25 Feb 2004 10:25:39 -0800, "Rich"
<anonymous@discussions.microsoft.com> wrote:
>We did geniusboy - i just wanted to know of something for
>the future.  A preventative tool, but thanks.
Sorry if I was denigrating, but here's the deal.  Your post said you
wanted to know if when the admin signon was used again, could it send
a message within 5 seconds of the user signing on.  The kicker is --
IF YOU CHANGED THE PASSWORD HE CAN'T SIGN ON!
Yes, shouting at you.  From your post, it was pretty clear you
*hadn't* changed the password, whether you meant it that way or not.
In addition, your other post says "I believe they have changed the
password, but we want to catch the lil ***."  Here you tell *me*
the password has been changed, but in a post to someone else you
"believe" it has been changed.
At any rate, use auditing.  You should always audit login failures if
not successful logins.
Good luck.
Jeff
>>-----Original Message-----
>>On Wed, 25 Feb 2004 05:50:21 -0800, "RichK"
>><anonymous@discussions.microsoft.com> wrote:
>>
>>>Where i work we have a certain person who has figured
>out
>>>the Admin network password.  So this user gets on and
>>>makes some minor changes to the server that cause me
>>>problems on the break fix level.  I suggested to the
>>>network guys to check the Event Viewer and see when the
>>>admin signon signed on last and so on.  We have a log
>of
>>>when the person did sign on, but for some reason the
>>>network guys didnt have it track the PC name or
>>>anything.  Is there a way to setup an alert that when
>the
>>>Admin signon is used again that it will send a message
>to
>>>one of the network Admins telling them which PC the
>user
>>>is at exactly or 5 secs from when the user signs on?
>>
>>Okay, why haven't you or the "network guys" been smart
>enough to
>>change the freakin' password?
>>
>>Your answer is auditing, both successful and unsuccesful
>logon events.
>>
>>Jeff
>>.
>>

---

• Next message: Fox: "User security 101"
• Previous message: Steven L Umbach: "Re: Create New Recovery Agent Without Domain CA"
• In reply to: Jeff Cochran: "Re: Catch a hacker?"
• Next in thread: Jeff Cochran: "Re: Catch a hacker?"
• Reply: Jeff Cochran: "Re: Catch a hacker?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(10)