A couple of people have pointed out that this could be
a malicious insider. Based on the information I
provided I think that is a highly valid response. What
I failed to mention is that these sites are very
isolated from each other and do not share any common
administrators.
The security model in place is based mostly on the NSA
Windows 2000 guides and far exceeds the OOB security
configuration of W2k.
AV software is set to quarantine infected software.
I had one person respond back that he had seen
similiar behavior (with only 35 files deleted) caused
by Veritas Backup Exec. I'm hoping to get more
details.
Thanks to everyone who has replied thus far, and any
other suggestions on how to track down what is causing
this would be most welcome.
--- MMoll <MMoll@finance.nyc.gov> wrote:
There are 2 things that come to mind as check point
items.....
a. Evaluate the distribution of admin ID's in the
production environment. Best practice is a seperate
human ID for every day use from admin ID's used for
admin work. Point of this is that apparently, the
benifet of system ACL's are not being realized, and
could be a factor in the high amount of infected
files. In a secure production environment, it is
difficult for a domain controller to have file
damage due to intursionary processes. evaluate the
security model being used, legacy, enterprise, high
security, or none.....see microsofts site reference
to security guides and templates.
b. Check the settings on the virus software.
setting the action to deny access and continue
scanning, is more desireable than to delete files
upon dection of intrusionary processes.
My belief is that someone using an admin enabled
human ID, is the root cause.
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
