Network Security

  • Thread starter Thread starter R Martins
  • Start date Start date
R

R Martins

To Microsoft Support Centre

A very serious security issue has arisen in the place
where I work, concerns an employee. On Feb a computer was
allocated to a CEO in my department and it was given a
network ID name "Win2kPC01". 4 months later, due to
network problems, my company invited 2 senior staff to
analyse our current Network Infrastructure, which was
really an internal audit, and they have noted that the CEO
Computer name has been changed. Disturbingly, it was
changed to an offensive name.

An investigation has been conducted, following a look-up
on the log files located in the Event Viewer we have
noticed that log files are no longer there, which tells
that the perpetrators have deleted the log files after
renaming the computer.

I would be grateful if could advice me on how recover the
lost/deleted log files since February so we can find the
responsible perpetrator who logged in and changed the
computer name to such

Many thanks

R Martins
Systems Manager
(e-mail address removed)
 
R said:
To Microsoft Support Centre

A very serious security issue has arisen in the place
where I work, concerns an employee. On Feb a computer was
allocated to a CEO in my department and it was given a
network ID name "Win2kPC01". 4 months later, due to
network problems, my company invited 2 senior staff to
analyse our current Network Infrastructure, which was
really an internal audit, and they have noted that the CEO
Computer name has been changed. Disturbingly, it was
changed to an offensive name.

An investigation has been conducted, following a look-up
on the log files located in the Event Viewer we have
noticed that log files are no longer there, which tells
that the perpetrators have deleted the log files after
renaming the computer.

I would be grateful if could advice me on how recover the
lost/deleted log files since February so we can find the
responsible perpetrator who logged in and changed the
computer name to such

Many thanks

R Martins
Systems Manager
(e-mail address removed)
Click to expand...

Sounds to me like much ado about nothing. What you really need is to
improve your security so this can't happen in the first place.

--
-the small one

All postings carry no guarantee or warranty, expressed or implied.
Proceed at your own risk, and perform system and data backups prior to
making changes to your system, and on a regular basis, to protect your
system.
 
Yeah well, you still don't know where the leak is... It would be looking for
a needle in a haystack. So it would be easy to be able to define the problem
so you can work out a good solution. Just saying that there is a hole in
your security isn't enough. You know that there is a problem, but you don't
what it is. It could be compared to a doctor who says that you are sick and
need surgery, but he doesn't know what makes you sick. So he cuts open your
skull and your stomach to find out at the end that the problem was your
heart. I don't know how about you, but I wouldn't be to happy with that!
 
Blue said:
Yeah well, you still don't know where the leak is... It would be looking for
a needle in a haystack. So it would be easy to be able to define the problem
so you can work out a good solution. Just saying that there is a hole in
your security isn't enough. You know that there is a problem, but you don't
what it is. It could be compared to a doctor who says that you are sick and
need surgery, but he doesn't know what makes you sick. So he cuts open your
skull and your stomach to find out at the end that the problem was your
heart. I don't know how about you, but I wouldn't be to happy with that!
Click to expand...

As I said, the 'leak' is obvious - this is no needle in the haystack.
Two things:

Someone had physical access to the PC. They need to fix that.
Someone was able to log into it. They need to fix that.

To focus their resources on 'who' did the vandalizing - which IMHO was a
minor form of vandalism - is a waste of time. Had the person done
something more serious it might be worth the effort, but just because
they gave the computer an offensive name and covered their tracks, it
seems to me to be overkill.

My IT resources wouldn't be used in that way; they really need to work
on their overall security issues. If this can happen on the CEO's
workstation, then it can happen anywhere, and THAT'S A BIG PROBLEM!

--
-the small one

All postings carry no guarantee or warranty, expressed or implied.
Proceed at your own risk, and perform system and data backups prior to
making changes to your system, and on a regular basis, to protect your
system.
 
It sure is a big problem, but the security in your network isn't perfect
either. The problem is that you don't know all the security flaws in the
operating system. That's why Microsoft keeps releasing hotfixes and service
packs. I don't know how you can tell what the problem is based on this
little amount of information. Basically you don't know if someone needed
physical access to the PC. You can't imagine what you can do with scripts.
So it is not about who did it, but how did they do it. This way you can
identify the problem and secure the system again. It is not logical to start
to try to secure on a random place, which might not be needed. So in my
opinion you definately jump conclusions.
 
It is not offensive... But that's why there was asked to retrieve the logs
so he can find out what the hole in the security is. That's a smart
question, if you ask me. And who said that this was a known hole. You can't
know that without identifing the problem.
 
Blue said:
It is not offensive... But that's why there was asked to retrieve the logs
so he can find out what the hole in the security is. That's a smart
question, if you ask me. And who said that this was a known hole. You can't
know that without identifing the problem.
Click to expand...

I'm not saying with 100% certainty that this is a known hole. I *am*
saying with a *high degree of certainty* that this is either a known
hole or a simple security fix involving physical security to the PC and
login accounts on that PC. You may be right that the logs could be
useful - especially if it's not a known hole - but my premise is that
the odds are very high that is not the case.

The way I read the post, they want the logs to track down the culprit,
not to fix a hole. I see that as a huge waste of IT resources
considering that IMHO they very likely have security problems which they
aren't dealing with.

--
-the small one

All postings carry no guarantee or warranty, expressed or implied.
Proceed at your own risk, and perform system and data backups prior to
making changes to your system, and on a regular basis, to protect your
system.
 
We had a custom made app for this, which made an entry in the log-files. So
we could retrieve the user.
 
custom app huh? - thats pretty major - could it tell the
cause eg, a batch reg file/ windows gui / other app etc? -
like i mentioned you could just setup audit on the regkey
 
No, as far as I can remember it told us what user logged in and after every
session there was an entry added that said which applications were used.
 
Back
Top