Re: Sucsss Audit - have I been hacked ?
From: Oli Restorick [MVP] (oli_at_mvps.org)
Date: 08/29/04
- Next message: msnews.microsoft.com: "Remote Shut Down Priviledges"
- Previous message: Tim Springston [MS]: "Re: wmi win32_desktop object (has something to do with security?)"
- In reply to: Steven L Umbach: "Re: Sucsss Audit - have I been hacked ?"
- Next in thread: Steven L Umbach: "Re: Sucsss Audit - have I been hacked ?"
- Reply: Steven L Umbach: "Re: Sucsss Audit - have I been hacked ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 29 Aug 2004 19:44:39 +0100
I agree, but I will add that just checking the membership of the local
administrators group may not be enough. The user rights assignment gives
plenty of room for somebody having a high level of access to a server
without being spotted quite so easily, so this should be checked as well.
Oli
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:8L2Yc.106926$TI1.91639@attbi_s52...
> Yes someone cleared the security log at the time indicated. I would
> immediately change the administrators password and check the membership of
> the local administrators group on that server to make sure that only
> authorized users are members and reset their passwords. You need to
> physically secure that server. At the bare minimum configure the cmos on
> it to only allow booting from the hard drive, disable usb ports if
> possible, and password protect cmos settings. Then you will need to lock
> the computer case. There are devices you can use to lock an existing case
> if it has no lock but ideally you want a sturdy computer case that locks
> internal access and locks access to the drives. It is very easy to boot
> from a floppy or cdrom and reset the built in administrator account. The
> link below has more on basic security procedures for a small
> usiness. --- Steve
>
> http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
> http://www.microsoft.com/technet/security/guidance/secmod144.mspx ---
> detailed info on auditing.
>
> "Jay B" <hidden@noemail.com> wrote in message
> news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
>> I'm a security neophyte... I need some advice here as to whether I
>> found something bad in the Security Log.
>>
>> My server was in a location where it was not physically secure.
>> When I got back to it today, I took a look in the Event Logs to see
>> what might have been happening while I was gone. In the Security Log
>> I found only _one_ event "Success Audit". What worries me is that
>> the detail shows "The audit log was cleared"... the event ran
>> as primary user "System", client user "administrator".
>>
>> Is this a "normal" event? I admit to know nothing at all about
>> security audit process. Does this indicate that the audit log was
>> manually cleared by someone or is it the normal output of the
>> system audit process ?
>>
>> Thanks,
>> Jay
>
>
- Next message: msnews.microsoft.com: "Remote Shut Down Priviledges"
- Previous message: Tim Springston [MS]: "Re: wmi win32_desktop object (has something to do with security?)"
- In reply to: Steven L Umbach: "Re: Sucsss Audit - have I been hacked ?"
- Next in thread: Steven L Umbach: "Re: Sucsss Audit - have I been hacked ?"
- Reply: Steven L Umbach: "Re: Sucsss Audit - have I been hacked ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
