Re: tracking admin commands
- From: "Rodo" <ralvarado@xxxxxxxxxxx>
- Date: Wed, 25 Oct 2006 11:41:05 -0700
sounds good. you're using Micrsoft's Log Parser from IIS 6 RK Tools?
"M. Burnett [MVP]" <mb@xxxxxxxx> wrote in message
news:%23gNcu1E%23GHA.1128@xxxxxxxxxxxxxxxxxxxxxxx
You can audit all executables and know when someone runs them, but you
wouldn't know the actual parameters used on the command line.
But yeah, Roger is right, there's not much more you can do other than
install a keylogger or a good host monitoring application.
As a side note about the effects of commands, I do have several
tightly-controlled servers where I need to know EVERYTHING that happens on
them. I have a log parser script that e-mails me a report every 24 hours.
That report includes all new logins, all executables run, all Windows
firewall events that involve new opened ports, a list of all objects that
were accessed (excluding a few high activity dirs), Windows Defender
events, all failed audits, and a few other misc events. It also lists any
errors or warnings that appear in the event logs (filtering out some
non-important events that often show up).
The reports are shorter than you'd think and it just take a moment to scan
for irregularities. It is highly unlikely that anything would happen on
those servers without me knowing. This is a good example of monitoring the
effects of commands. I don't know exactly what someone did at first, but
it alerts me that something has happened.
This is particularly effective for monitoring outside attacks because no
matter what methods they use, their targets will always be the same.
Mark Burnett
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:#ih9sVE#GHA.4472@xxxxxxxxxxxxxxxxxxxx:
"Rodo" <ralvarado@xxxxxxxxxxx> wrote in message
news:ezbPRiD%23GHA.4404@xxxxxxxxxxxxxxxxxxxxxxx
A trace of commands. From what you said in your previous post, Iassume
results of command would show through auditing objects.
"results" only indirectly
For example, as admin if I issue
xcacls c:\temp /e /g users:f
the results are changes in NTFS permissions on c:\temp
and that acted-on object would have to be auditied to see
the results.
I am aware of no way, short of putting keyloggers on all
admin usable workstations/servers, that you can get an
record of all commands issues by admins (not to mention
that some UI tools do not really issue commands underneith
whereas others do).
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:OyxyOO$9GHA.4708@xxxxxxxxxxxxxxxxxxxxxxx
Windows server hardeningSo you want to have a trace of the commands, or of the
effects resulting from the commands ?
"Rodo" <ralvarado@xxxxxxxxxxx> wrote in message
news:OYCJ8S49GHA.3392@xxxxxxxxxxxxxxxxxxxxxxx
userAre system administrator commands traceable back to an individual
ID?
.
- References:
- Re: tracking admin commands
- From: Roger Abell [MVP]
- Re: tracking admin commands
- From: M. Burnett [MVP]
- Re: tracking admin commands
- Prev by Date: Re: how many CA's (cross posted...)
- Next by Date: POP3 Spam with server name
- Previous by thread: Re: tracking admin commands
- Next by thread: Re: how many CA's (cross posted...)
- Index(es):
Relevant Pages
|
|
