Tracking rogue users

[Guest Brian J]

I have been asked to investigate a Windows server. The server is unknown to

me but is 2003.

 

The client suspects rogue user activity. The user was a support technician

with administrator privileges. The activity occurred some weeks ago. I

have few details but the activity included, but was not necessarily limited

to, a large number of outbound e-mails generated automatically by a program.

 

The client has firewall, anti virus and anti spam software installed but I

do not know which programs.

 

Please can anyone suggest ...

.... any post incident strategies for finding or tracing rogue activity

.... utilities that verify the integrity of System files and folders

.... further reading on the internet

 

--

Regards,

 

Brian

[Guest NeilH]

Re: Tracking rogue users

 

 

"Brian J" <brian@nospam.com> wrote in message

news:717FBE35-12EF-4373-B5F6-EE084BB5F31B@microsoft.com...

> I have been asked to investigate a Windows server. The server is unknown

to

> me but is 2003.

>

> The client suspects rogue user activity. The user was a support

technician

> with administrator privileges. The activity occurred some weeks ago. I

> have few details but the activity included, but was not necessarily

limited

> to, a large number of outbound e-mails generated automatically by a

program.

>

> The client has firewall, anti virus and anti spam software installed but I

> do not know which programs.

>

> Please can anyone suggest ...

> ... any post incident strategies for finding or tracing rogue activity

> ... utilities that verify the integrity of System files and folders

> ... further reading on the internet

>

> --

> Regards,

>

> Brian

>

 

First thing is to get a LOT more information about the system and the

software installed.

How does your user know that the emails actually originated for their site,

instead of someone just using their email address?

[Guest Phillip Windell]

Re: Tracking rogue users

 

 

"NeilH" <neil@nospam.uk> wrote in message

news:%23bkYaG2EJHA.680@TK2MSFTNGP03.phx.gbl...

>> Please can anyone suggest ...

>> ... any post incident strategies for finding or tracing rogue activity

>> ... utilities that verify the integrity of System files and folders

>> ... further reading on the internet

 

Well,..not to be a stick-in-the-mud,...but please don't confuse CSI:Miami

and Hollywood movies with the way things are in real life.

 

Unless Auditing was specifically setup ahead of time on particular items to

be audited,...there is no "trail",...and you can't set auditing on a huge

amount of items or the log information is so huge and overwhelming that it

becomes useless. And even if there was auditing, the technician would

probably been smart enough to not use his own personal account but use the

regular Administrator account,..so the auditing events in the event log

would just say that things were done by "Administrator",...which is not very

useful.

 

There may be tools to verify the integrety of system files and folders, I

don't know. But if there are serious problems with the machine suspected,

then it would be just as fast to backup any specfic important material on

the machine,...flatten it,...reload it from scratch,...restore the backed up

material to the machine. Now you know the machine is clean and it only took

a couple hours.

 

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------