The way I would handle the situation is as follows. I would reset the permissions on the student's folder to the way that you found them. Leaving them changed can give you away easily. Secondly I would find out as much background info on the user as possible (i.e. which computer labs or workstations do they generally use and when do they use them). Unless the person is stupid you are probably dealing with a stolen account. Once you have the background info you can start to cross reference the security logs. Make sure that you have logon success/failures audited. Each day export the log file to a text file and do a keyword search on the username in question. Keep track of any suspicious login times or places for that user. If you can narrow it down to a couple of workstations then you can start with key loggers and other fun stuff. Next at the same time I changed the logon setting in auditing I would also make sure that I turned on auditing for reading/writing file attributes and for deleting any folders. After you finish with keyword searches for usernames, then I would do a few more for folder deletions and attribute changes. Weed out legitimate uses and investigate the rest. If you get some more user ids then you can use the same technique as above. Now do another keyword search of the logs for administrator logins. Find out who has access to the administrator passwords and where they log in. Verify every single administrator login. If you get a login from an unexpected workstation then throw on a key logger. Finally I'm not sure if Internet abuse is one of your concerns if it is make sure that the school has a proxy server and that that is the only way to access the internet. You will spend a good amount of time going over the logs of that to look for suspicious behavior. William B. Grossman Network Administrator ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Feb 08 2003 - 15:11:12 PST