Re: Sucsss Audit - have I been hacked ?
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/30/04
- Next message: Steven L Umbach: "Re: unique local admin passwords"
- Previous message: Steven L Umbach: "Re: Network Passwords, make Win2k like XP?"
- In reply to: Oli Restorick [MVP]: "Re: Sucsss Audit - have I been hacked ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Aug 2004 02:38:48 GMT
Quite right. If there is not a good explanation the user should consider it a
compromised server and act accordingly which should mean the server be rebuilt and
secured, but that is his call. --- Steve
"Oli Restorick [MVP]" <oli@mvps.org> wrote in message
news:%23rGU$gfjEHA.2812@tk2msftngp13.phx.gbl...
>I agree, but I will add that just checking the membership of the local
>administrators group may not be enough. The user rights assignment gives plenty of
>room for somebody having a high level of access to a server without being spotted
>quite so easily, so this should be checked as well.
>
> Oli
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:8L2Yc.106926$TI1.91639@attbi_s52...
>> Yes someone cleared the security log at the time indicated. I would immediately
>> change the administrators password and check the membership of the local
>> administrators group on that server to make sure that only authorized users are
>> members and reset their passwords. You need to physically secure that server. At
>> the bare minimum configure the cmos on it to only allow booting from the hard
>> drive, disable usb ports if possible, and password protect cmos settings. Then you
>> will need to lock the computer case. There are devices you can use to lock an
>> existing case if it has no lock but ideally you want a sturdy computer case that
>> locks internal access and locks access to the drives. It is very easy to boot from
>> a floppy or cdrom and reset the built in administrator account. The link below has
>> more on basic security procedures for a small usiness. --- Steve
>>
>> http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
>> http://www.microsoft.com/technet/security/guidance/secmod144.mspx --- detailed
>> info on auditing.
>>
>> "Jay B" <hidden@noemail.com> wrote in message
>> news:l4jvi0lu0d74r03bio3tqp8lulo3htlupm@4ax.com...
>>> I'm a security neophyte... I need some advice here as to whether I
>>> found something bad in the Security Log.
>>>
>>> My server was in a location where it was not physically secure.
>>> When I got back to it today, I took a look in the Event Logs to see
>>> what might have been happening while I was gone. In the Security Log
>>> I found only _one_ event "Success Audit". What worries me is that
>>> the detail shows "The audit log was cleared"... the event ran
>>> as primary user "System", client user "administrator".
>>>
>>> Is this a "normal" event? I admit to know nothing at all about
>>> security audit process. Does this indicate that the audit log was
>>> manually cleared by someone or is it the normal output of the
>>> system audit process ?
>>>
>>> Thanks,
>>> Jay
>>
>>
>
>
- Next message: Steven L Umbach: "Re: unique local admin passwords"
- Previous message: Steven L Umbach: "Re: Network Passwords, make Win2k like XP?"
- In reply to: Oli Restorick [MVP]: "Re: Sucsss Audit - have I been hacked ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
