>Some suggestions: > >1.) Manually reset passwords on all privileged (i.e., more than a >"Domain User"). Positively identify every individual requesting a >password change on those accounts. Do your students have student cards? I refuse to change the password if they don't have either a student card or a drivers license >2.) Reset the local administrator password on all machines (Can this be >done with AD?), ensure that only "Domain Admins" are members of the >Local Admins group. Well, the college I work at, I leave the local machine administrator as an administrator, but only so that I can get admin privs when a machine isn't on the network. However, I have a vbscript that sets a different randomised password for the administrator account on each workstation. Also, the local administrator account has no privs at all on the domain. Related to this, admin accounts on my network have extra parts to thier logon script, that automatically mails me the username and machine name the moment they log onto a machine. I frequently know where they are logging on before the logon script has finished running. >3.) Mercilessly reduce the number of Admins in your domain. The NT4 domain I inherited had 18 users with admin privs. This was brought down to 2 (MIS manager and his assistant, simply so I didn't have to go installing the db client on machine. They could do it) One of the techniques used to reduce this number was to crack the various admin users passwords. Presenting a list to upper management stating these accounts, can be taken over by a student in 24hrs or less sometimes scares the bosses into agreeing with you. Also stating things like: Why do they need admin privs? Are they iin charge of the backups? Do they fix machines when they go wrong? >4.) Inspect each global group for permissions and memberships This part can take time, the first time round. But is worth it, as you can then monitor the groups for changes with more ease. The automatic group monitor that (was) runnning each night here, spotted a change in members of the domain admins account less than 24hrs after it happened. >5.) If you can localize the misuse/abuse to a few workstations or >servers, make judicious use of Spectorsoft Pro (monitoring software). >Hi all, > First time poster, long time lurker. > > I'm doing some work for a school which has approx. 1,000 users >(students + staff) sharing the same Win2k-AD network resources. >Windows >permissions, shares and passwords are obviously not strengthened (why >would >they be, that would make this easy!) so there are suspicions that >students >are running rampant on this network. I was asked to come and >investigate >for signs of mis-use, abuse, or "hacking". What I DID find was a >student's >directory which had *explicit deny* for the administrators group to >all >rights. I had to go and "take ownership" to get a view into this >student's >directory. This is taken, on my network, to be an indicator that they are trying to hide stuff. Usually it is an instant messenger app of some sort (all instant messengers and IRC clients are explicitly banned in the AUP). Any complaints made about the change in permissiongets the response: interfering with permissions cause some of our programs to fail (a userarea size monitoring program) and the permissions are reset to stop this interference. > Now, this is as close to a "smoking gun" as I have. I'm trying >to >"catch these student(s)" in the act but it's difficult because, as I >said to >the principal, how do I distinguish between an administrator using >their >account and a student who's guessed their password?? > > The real request here is this: How would one go about analyzing >a >live system like this? I can't arouse too many suspicions as I was >asked to >catch the person/people involved in this activity. Where would you >start? >(I've turned on Windows object auditing pretty heavily, but that's a >monumental task sifting through all that data!!). Any real-world >experience >or suggestions for a Win2k network would be most-appreciated! > >/Ralph/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 14 2003 - 06:43:17 PST