Re: Sucsss Audit - have I been hacked ?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/28/04 

Date: Sat, 28 Aug 2004 16:52:20 GMT

Yes someone cleared the security log at the time indicated. I would immediately
change the administrators password and check the membership of the local
administrators group on that server to make sure that only authorized users are
members and reset their passwords. You need to physically secure that server. At the
bare minimum configure the cmos on it to only allow booting from the hard drive,
disable usb ports if possible, and password protect cmos settings. Then you will need
to lock the computer case. There are devices you can use to lock an existing case if
it has no lock but ideally you want a sturdy computer case that locks internal access
and locks access to the drives. It is very easy to boot from a floppy or cdrom and
reset the built in administrator account. The link below has more on basic security
procedures for a small business. --- Steve

http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
http://www.microsoft.com/technet/security/guidance/secmod144.mspx --- detailed info
on auditing.

"Jay B" <hidden@noemail.com> wrote in message
news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
> I'm a security neophyte... I need some advice here as to whether I
> found something bad in the Security Log.
>
> My server was in a location where it was not physically secure.
> When I got back to it today, I took a look in the Event Logs to see
> what might have been happening while I was gone. In the Security Log
> I found only _one_ event "Success Audit". What worries me is that
> the detail shows "The audit log was cleared"... the event ran
> as primary user "System", client user "administrator".
>
> Is this a "normal" event? I admit to know nothing at all about
> security audit process. Does this indicate that the audit log was
> manually cleared by someone or is it the normal output of the
> system audit process ?
>
> Thanks,
> Jay

Relevant Pages

  • Re: Sucsss Audit - have I been hacked ?
    ... but I will add that just checking the membership of the local ... > Yes someone cleared the security log at the time indicated. ... > the local administrators group on that server to make sure that only ... There are devices you can use to lock an existing case ...
    (microsoft.public.win2000.security)
  • Security Log/LogOn
    ... Is it possible to windows to lock someone out by mistake ... or glitch? ... security log says wrong user id or password, ...
    (microsoft.public.win2000.security)
  • Re: Logging IP address when Administrator logs in
    ... If you enable auditing of account logons in Domain Controller Security policy it will ... computers it will record a logon event in the security log of the computer that the ... administrators account on domain computers they need to manage. ...
    (microsoft.public.win2000.security)
  • Need for "Manage auditing and security log" User Right
    ... We recently had some issues with installing updates that were resolved by ... reassigning the "Manage auditing and security log" user right to ... of duties between administrators and security managers, ... prevent administrators from tampering with auditing or security logs. ...
    (microsoft.public.windowsupdate)
  • The Security log on this system is full.
    ... "The Security log on this system is full. ... Only Administrators can log on to fix this problem" ... Regards ...
    (microsoft.public.windowsxp.security_admin)