Hi all, First time poster, long time lurker. I'm doing some work for a school which has approx. 1,000 users (students + staff) sharing the same Win2k-AD network resources. Windows permissions, shares and passwords are obviously not strengthened (why would they be, that would make this easy!) so there are suspicions that students are running rampant on this network. I was asked to come and investigate for signs of mis-use, abuse, or "hacking". What I DID find was a student's directory which had *explicit deny* for the administrators group to all rights. I had to go and "take ownership" to get a view into this student's directory. Now, this is as close to a "smoking gun" as I have. I'm trying to "catch these student(s)" in the act but it's difficult because, as I said to the principal, how do I distinguish between an administrator using their account and a student who's guessed their password?? The real request here is this: How would one go about analyzing a live system like this? I can't arouse too many suspicions as I was asked to catch the person/people involved in this activity. Where would you start? (I've turned on Windows object auditing pretty heavily, but that's a monumental task sifting through all that data!!). Any real-world experience or suggestions for a Win2k network would be most-appreciated! /Ralph/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 11:32:31 PST