Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Remote OS Monitoring

from [Ramsdell, Scott] Network Security [Permanent Link]
Subject: RE: Remote OS Monitoring
Date: Wed, 24 May 2006 10:14:45 -0500 
Jason,

If you have a few workstations you want to monitor, you may choose to do
the following:

1) disable the use of EFS through Group Policy
2) enable auditing
3) audit the use of the Windows attrib program

Local manipulations of the files and directories result in events being
written to the local event logs.  These logs will need to be monitored
for specific event IDs by hand or with a custom VB script, for instance.

Attrib is used to remove masking bits.

Alternatively, if you want to monitor a large number of machines, and
have the budget, you can use NetIQ or Prism Microsystems' suite of
products.

Each of the examples you want to detect will trigger an event.  The
events you can monitor for.  If you can remove administrative access
from the user(s) you are concerned with, you will have solved most of
your concerns.  Non-admins could still use EFS.

Best Regards,
Scott Ramsdell



-----Original Message-----
From: Jason T. Hallahan [mailto:jthallah@gmail.com] 
Sent: Tuesday, May 23, 2006 12:01 PM
To: security-basics@securityfocus.com
Subject: Remote OS Monitoring

Hello and good day,

Say you have a Windows environment where all clients reside on the same
workgroup, connect through a Domain Controller, and are administered by
Active Directory. Are there any tools or techniques out there that allow
for remote monitoring (somewhat if not totally
transparent) at any finer level of granularity? Specifically, being able
to tell things like:

*User of a box has implemented EFS (Encrypted File System) possible to
hide information.
*User of a box has hidden a directory or file using either Windows
functions or 3rd party software.
*User is unmasking and/or viewing hidden/protected system files.
*User is removing Read-Only protection on a directory or file.
*User is manipulating SYSTEM.DAT, NTUSER.DAT, INDEX.DAT or any other
registry entries or registry hives.

Does anyone know of such capabilities?

Thanks,
Jason
 
 
This communication is from a law firm and may contain confidential and/or 
privileged information. If it has been sent to you in error, please contact the 
sender for instructions concerning return or destruction, and do not use or 
disclose the contents to others.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Wireless Security (Part 2), Ian Scott
Next by Date:  RE: MS Audit logs, Hayes, Ian
Previous by Thread:  Remote OS Monitoring, Jason T. Hallahan
Next by Thread:  AD Policy audit tool for Windows 2000, Koolk3
Indexes:  [Date] [Thread] [Top] [All Lists]