Some suggestions: 1.) Manually reset passwords on all privileged (i.e., more than a "Domain User"). Positively identify every individual requesting a password change on those accounts. 2.) Reset the local administrator password on all machines (Can this be done with AD?), ensure that only "Domain Admins" are members of the Local Admins group. 3.) Mercilessly reduce the number of Admins in your domain. 4.) Inspect each global group for permissions and membership. 5.) If you can localize the misuse/abuse to a few workstations or servers, make judicious use of Spectorsoft Pro (monitoring software). JP /sig/ Jason A. Powell, CISSP Senior Systems Analyst Children's Hospital Medical Center Information Services Security (513) 636-1499 jason.powellat_private >>> "Ralph Los" <RLosat_private> 02/05/03 10:25AM >>> Hi all, First time poster, long time lurker. I'm doing some work for a school which has approx. 1,000 users (students + staff) sharing the same Win2k-AD network resources. Windows permissions, shares and passwords are obviously not strengthened (why would they be, that would make this easy!) so there are suspicions that students are running rampant on this network. I was asked to come and investigate for signs of mis-use, abuse, or "hacking". What I DID find was a student's directory which had *explicit deny* for the administrators group to all rights. I had to go and "take ownership" to get a view into this student's directory. Now, this is as close to a "smoking gun" as I have. I'm trying to "catch these student(s)" in the act but it's difficult because, as I said to the principal, how do I distinguish between an administrator using their account and a student who's guessed their password?? The real request here is this: How would one go about analyzing a live system like this? I can't arouse too many suspicions as I was asked to catch the person/people involved in this activity. Where would you start? (I've turned on Windows object auditing pretty heavily, but that's a monumental task sifting through all that data!!). Any real-world experience or suggestions for a Win2k network would be most-appreciated! /Ralph/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 18:25:13 PST