General discussion

Locked

Security issues on all Windows O/S

By farisland ·
Can anyone help me out with security issue problems? We have reason to believe that our Windows NT Workstations, NT Servers, Windows 95/98 and HP-UNIX systems have been compromised. We have no intrusion detection or key logging detection or any sortof security software installed on any machines. What I want to check is whether any files have been copied, deleted or modified. Are there any features in the above operating systems to check for these actions? Is it possible to do that and if so how do I go about doing it? Also can anyone recommend software that will detect these actions or any good security software that in the future will monitor these activities?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

security issues

by _mark_ In reply to Security issues on all Wi ...

if you think that your machines have been compromised, you must have any webserver, ftp-server or something like that software running. so check out the logs of this software (read the manual ho to do this). but i recommend to use a firewall.

Collapse -

Compromise from within firewall sector

by farisland In reply to security issues

We do have a firewall installed. But we are thinking that the system was compromised from within the firewall environment. In a situation like this are there anyway that one can find out from the server logs or system logs if somebody had either copied, deleted or modified any files or folders.

Collapse -

Compromise

by Chris A In reply to Compromise from within fi ...

With Windows 9x there is currently no way to audit events(with WinXP I'm not sure as I am still waiting for my copy to arrive).
Anyway with WinNT/2k there is program called Event Viewer which if you have set up auditing you can use to view the logs(thank you MS). To set auditing you right click, goto properties, and click auditing you then set what you wish to audit and it does it.
The only way you will find out who did it is if they did it through an ftp sever which logs all details. With WWW it will usaully give Username, ip etc but will not say which files were copied though with some it does give you the files accessed but of the top of my head I am not sure about IIS.
I would personally recommend that you set auditing on any files you feel were crompromised as well as successful logins so you know who was on the network at the time. You may think this is stupid now that the attack has happened but you will find that once it has been done once, there will be copycats try to do so at least you can catch them.

Chris Allen

Collapse -

Compromise

by Coopachi In reply to Compromise

I agree w/ using Event Viewer, but if you have been compromised internally, then you have several problems. Assuming an NT environment, you could have password guessing. So you may need to analyze the "easiness" of the password (ie. children's names, pet names, etc.) If someone has guessed a domain admins. password, then all network resourses are open. If you suspect after hours compromise, that can be taken care of in the user manager, you can set times to allow log-ins. You can also restrict the user to being able to log on to only certain machines (also in user manager). you may need to check you groups, someone may have been given administrative rights by accident. If you think the information got out thru email, you may have to install a content filtering software like Mail Essentials, (the only one I am familiar with). Anyway, between Auditing and Event viewer and User manager you should stand a pretty good chance of catching the perp.

hope this helps
Jeff Cooper

Collapse -

Thank You Guys. Helpful Information

by farisland In reply to Compromise

Thank You Jeff, Chris and Mark. Your information was very helpful and I will keep it for future use. Once again Thank You. I will be more careful in Web Server protection.

Collapse -

W2000

by ms In reply to Security issues on all Wi ...

check sfc command

sfc /scannow

Collapse -

Very Informative

by farisland In reply to W2000

Thank You. That is a good piece of command, I have learne now. Thank you

Back to Security Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums