cavalierlan
asked on
Track a hacker
We have noticed a user at my work has a profile on our storage server. He would have to be an admin to get one there. We have also heard this user bragging he can bypass the user privledges.
How can we see where he has been on our network?
A search to see which computers/servers have a profile of his?
Anyother good info to see if he can truely bypass his privledges?
How can we see where he has been on our network?
A search to see which computers/servers have a profile of his?
Anyother good info to see if he can truely bypass his privledges?
ASKER
He isn't a local admin of any machine, nor part of any domain admin group. If he cracked one of our domain admin accounts and gave himself admin rights it was only temporary and he reverses it.
I would like to know if there is a command to search for which computers have a joe schmoe profile built on them, signifying this user has logged onto that machine.
I would like to know if there is a command to search for which computers have a joe schmoe profile built on them, signifying this user has logged onto that machine.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would check the storage server local policies > User Rights Assignment
To see what accounts are assigned "Act as part of the operating system"
and of course that would be machine specific for that particular server and not for the entire domain.
To see what accounts are assigned "Act as part of the operating system"
and of course that would be machine specific for that particular server and not for the entire domain.
I would also go through and start to change all of your passwords. You can then look for password attempts that are failing. In the security even log make sure you are logging failures. That will be a good start. You will get some specific information when the accounts lockout (hopefully the lockout threshold is low).
There are a variety of tools that you can load on client PCs that will track user activity even with screenshots.
There are a variety of tools that you can load on client PCs that will track user activity even with screenshots.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Or if a domain admin (either the account or someone belonging to the domain admin Group) has logged on, they could dump the cache of that password and submit it to an online rainbow table lookup, or simply brute force it in their own time using JohnTheRipper, Cain&Able or hundreds of others of password crackers available on the net. They could also trick an admin into logging on to their machine after they have installed a keylogger be it physical or software. Software keyloggers and dumping the cache as well as the password DB require admin or greater priv's (system).
You should turn up the logging on all machines, by default the logging on windows is not sufficient to properly track a "hackers" actions. And if the user is an admin, he/she could simply wipe all traces of their event log's if you do not back them up or use monitoring software.
To remedy, have your IT/HR policies posted publicly, maybe on an internal server web-page, make sure all users are aware of the policies. Reset all passwords for everyone if you believe it's possible that your accounts could be compromised by this user. Turn up logging on your critical servers and suspect users, or turn up logging across the board.
http://support.microsoft.com/kb/323076
Always follow best practices: http://xinn.org/win_bestpractices.html
If you need policies to work from as a template, check out SANS: http://www.sans.org/resources/policies/#template
-rich