Tracking rogue users

  • Thread starter Thread starter Brian J
  • Start date Start date
B

Brian J

Guest
I have been asked to investigate a Windows server. The server is unknown to
me but is 2003.

The client suspects rogue user activity. The user was a support technician
with administrator privileges. The activity occurred some weeks ago. I
have few details but the activity included, but was not necessarily limited
to, a large number of outbound e-mails generated automatically by a program.

The client has firewall, anti virus and anti spam software installed but I
do not know which programs.

Please can anyone suggest ...
.... any post incident strategies for finding or tracing rogue activity
.... utilities that verify the integrity of System files and folders
.... further reading on the internet

--
Regards,

Brian
 
Re: Tracking rogue users


"Brian J" <brian@nospam.com> wrote in message
news:717FBE35-12EF-4373-B5F6-EE084BB5F31B@microsoft.com...
> I have been asked to investigate a Windows server. The server is unknown
to
> me but is 2003.
>
> The client suspects rogue user activity. The user was a support
technician
> with administrator privileges. The activity occurred some weeks ago. I
> have few details but the activity included, but was not necessarily
limited
> to, a large number of outbound e-mails generated automatically by a
program.
>
> The client has firewall, anti virus and anti spam software installed but I
> do not know which programs.
>
> Please can anyone suggest ...
> ... any post incident strategies for finding or tracing rogue activity
> ... utilities that verify the integrity of System files and folders
> ... further reading on the internet
>
> --
> Regards,
>
> Brian
>

First thing is to get a LOT more information about the system and the
software installed.
How does your user know that the emails actually originated for their site,
instead of someone just using their email address?
 
Re: Tracking rogue users


"NeilH" <neil@nospam.uk> wrote in message
news:%23bkYaG2EJHA.680@TK2MSFTNGP03.phx.gbl...
>> Please can anyone suggest ...
>> ... any post incident strategies for finding or tracing rogue activity
>> ... utilities that verify the integrity of System files and folders
>> ... further reading on the internet

Well,..not to be a stick-in-the-mud,...but please don't confuse CSI:Miami
and Hollywood movies with the way things are in real life.

Unless Auditing was specifically setup ahead of time on particular items to
be audited,...there is no "trail",...and you can't set auditing on a huge
amount of items or the log information is so huge and overwhelming that it
becomes useless. And even if there was auditing, the technician would
probably been smart enough to not use his own personal account but use the
regular Administrator account,..so the auditing events in the event log
would just say that things were done by "Administrator",...which is not very
useful.

There may be tools to verify the integrety of system files and folders, I
don't know. But if there are serious problems with the machine suspected,
then it would be just as fast to backup any specfic important material on
the machine,...flatten it,...reload it from scratch,...restore the backed up
material to the machine. Now you know the machine is clean and it only took
a couple hours.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Back
Top