August 13th, 2003, 08:50 PM
2K Server unauthorized access
I have a application server running which, unfortunately runs a fairly insecure enterprise application. Someone (probably on the inside) has compromised shares on this box. Due to the architecture, I can't lock it down without rendering something very important to our organization useless(and probably losing my job). I have been doing all kinds of logging, but I can't seem to extrapolate a hostname or IP address from the event logs due to the way this person is breaking in. Does anyone know of any additional tools I could use to monitor EVERY IP or hostname accessing this box? I'm looking for something lightweight , because I doubt they would allow me to install Snort or something of the like. Thanks
August 13th, 2003, 09:56 PM
Let ur higher admin know about the breaking in and the compromising of the server. They should let u do whatever u need to catch the him/her. I dunno why if your supposed to be maintainin the server and keepin it up why u cant keep its security up to date and install something like that. Not sure how much u could do with ur policy.
August 13th, 2003, 10:28 PM
You could install a NIDS like Snort. It would run on another machine and should have no effect on the application itself. You would of course have to set it up so that it can see traffic going to the server.
You could setup a sniffer. Either on the application server itself (probably bad idea) or on another box and sniff all the traffic passing by and see who is getting in that way.
You could setup host based intrusion detection, although with it being Windows that will limit your options there somewhat.
Somewhere along the line you are going to have to talk to your management about the security risks though. You need to explain it to them in terms of cost, ie., what would happen if someone maliciously changes data? What happens if the box is formatted? What happens if customer data or intellectual property of the company is stolen...That should change their tune pretty fast.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
August 13th, 2003, 10:45 PM
would they let you put a box inbetween the 2k machine and the network? u could put a linux fw inbetween the 2k and the net and log all the ip traffic in/out...since it seems u have zero security policy, the wise thing to do would be to make an official report along with some recommendations to your superior to cover yourself..also depending on the state /country your in. u may want to circulate an official security policy document along with the reprisals for unauthorized use and have each employee sign it. A company i contracted to last year wasnt able to terminate an employee becuase they didnt have an official security policy regarding unauthorized access. If this is a tier 1 app that can be accessed from the internet, your probably gonna get boned...as its only gonna be a matter of time......
But the bottom line is that 'due care and diligence' falls on the management........
August 14th, 2003, 05:15 AM
Well before I say much you said it was an app server, what sort of Apps is it running? I'd say learn what apps are there and what privlages they must have and as a Admin you can contact the vendor support through phone explain the problem. Another question is the app had from the Web if so is Citrix installed. Firewalls and permissions are another issue. You'd have to be more specific then the general info you posted, you really did not include much info other then locking someone out and an often attempted ploy of social engineering. A simple netstat after knowing the ports of the app is talking on should give you what you require. Just a shot in the dark. Netstat is handy if you know the prts an app talks on
OOps forgot if your an Enterprise Admin you sould have access to the domain policy editor and be able to look at the privlages on every account and re-set them as need be without effecting any app
I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg
August 14th, 2003, 04:49 PM
Thanks everyone for the ideas. I've thought of using Snort and I've tried using netstat redirecting the output to a text file at intervals; but that's extremely high maintenance. It kinda sucks being in enterprise politics where this group is responsible for this, and won't let you do that, without talking to this idiot first. I'll figure it out, but thanks for the help.
August 14th, 2003, 05:21 PM
well how about just running Netmon or Ethreal on that box in question and sniffing all the traffic that comes to that box. You can then find out the IP, MAC, Hostname, etc of the box that is accessing your server without authorization.
Also have you tried auditing the box? You can find out almost all of the information you are looking for with some creative use of auditing.
Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life.