Thanks to all that have replied. I do appreciate the responses. Here's what I've determined should be our course of action, both from suggestions and some at-lengh brainstorming. First, we're faced with a few big challenges, namely: 1. 2 Servers, hundreds of students, dozens of teachers, a few admins, and no "order" or access policy 2. We're not even entirely sure there is/was a compromise of any part of the system 3. It is very difficult to track access to specific folders if those folders are used legitimately hundreds of times a day, by dozens of people often sharing usernames/passwords with their collegues So here's my strategy: 1. Forget trying to "find the culprit" at this point 2. Create domain-level policies and groups for admin, access purposes 3. Tighten password policy 4. Re-work permissions on all folders 5. Selectively audit access to important folders, etc 6. Limit, track and audit all "admin"-level access. I think this is a sound plan. Rather than spending countless hours and dollars tracking what may be a ghost, we're going to take the high road and assume that we can move on after some serious security audit-work. Thanks again everyone, /Ralph/ -----Original Message----- From: Ralph Los [mailto:RLosat_private] Sent: Wednesday, February 05, 2003 10:25 AM To: 'forensicsat_private' Subject: Tracking a (potential) abuser? Sensitivity: Confidential Hi all, First time poster, long time lurker. I'm doing some work for a school which has approx. 1,000 users (students + staff) sharing the same Win2k-AD network resources. Windows permissions, shares and passwords are obviously not strengthened (why would they be, that would make this easy!) so there are suspicions that students are running rampant on this network. I was asked to come and investigate for signs of mis-use, abuse, or "hacking". What I DID find was a student's directory which had *explicit deny* for the administrators group to all rights. I had to go and "take ownership" to get a view into this student's directory. Now, this is as close to a "smoking gun" as I have. I'm trying to "catch these student(s)" in the act but it's difficult because, as I said to the principal, how do I distinguish between an administrator using their account and a student who's guessed their password?? The real request here is this: How would one go about analyzing a live system like this? I can't arouse too many suspicions as I was asked to catch the person/people involved in this activity. Where would you start? (I've turned on Windows object auditing pretty heavily, but that's a monumental task sifting through all that data!!). Any real-world experience or suggestions for a Win2k network would be most-appreciated! /Ralph/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Feb 08 2003 - 15:10:28 PST