I'm responsible for several windows 2003 servers. After reading some security papers it turns out that I can never find out if a hacker was/is able to manipulate my servers.
This is my setup:
I offer a webservice run on tomcat under windows 2003. This webservice is delivered by a frontend apache server with mod_proxy under Linux debian. In front of the debian and windows server is a zone based firewall with just certain ports open. Both servers are not allowed to connect to the Internet. Tomcat on windows is run as restricted user, with write permissions to the log folder and the application folders.
Given the case a hacker is able to get a shell access on windows and is able to run an exploit to force a privilege escalation granting him administrator permissions. How can I prevent that or is that assumption too paranoid?
Let's say the attacker is after some documents I host on that server or using a connection to our mail server to send a few (spam) emails. Out firewall shuts down automatically in case there are to many connection attempts, so I'm not after a spam proxy monitor.
So I'm thinking about a session security-breach monitoring that is redirected to some loghost that might trigger an alert.
Tripwire might also be an approach, but I didn't find any free solutions for windows.
How do you deal with it?