Active Directory group memberships
Results 1 to 7 of 7

Thread: Active Directory group memberships

  1. #1
    Junior Member
    Join Date
    Mar 2006
    Posts
    2

    Active Directory group memberships

    Hi,
    This is my first time posting and I have to say, I am really impressed with these forums. I'm hoping someone has an answer to this.
    One of our managers had a few of his group memberships removed from his active directory account. The domain controllers have all had their event logs deleted. Is there anyway to find out who may have modified this users account? Is anyone familiar with Semantic database analysis and will this help me?
    Thanks in advance!

  2. #2
    Member
    Join Date
    Aug 2005
    Posts
    98
    Sorry I don't have an answer to you question but just a comment on your problem.

    I think I know the answer to this question but I will ask it anyway.

    Are you archiving and backing up your event logs?

    If you aren't you should be, the event logs are pointless (particularly the Security Eventlog) if you do not have an appropriate strategy to archive and retain (in case you need to forensically analyse them) these logs to ensure you are not losing important security information.

    When you say they have been deleted, do you mean someone has gone in there and deleted the event logs manually or have they been overwritten as part of "normal" use. If someone has manually deleted them you have a BIG problem because you have a disgruntled user with Admin access to your DC, how many admins are there in the organisation and worse how many are/could be disgruntled?

    Even if the eventlogs have been 'overwritten' with other data you still have a problem because again you are losing important security information that you now require, you may need to look at your log file rotation policy (via Group Policy Management Console) and increase your log file size and change the rotation policy.

    I'm not sure of a solution to your problem I will see if I can find anything but I strongly encourage you to consider implementing appropriate Backup/archival strategies as well as log rotation, that way if an Admin manually deletes logs you still have them on tape and if it was a case of the logs being overwritten you should be able to stop this occurring again.

  3. #3
    Junior Member
    Join Date
    Mar 2006
    Posts
    2
    Thank you for your comments. You are correct in all of your assumptions. The security event log was purposely deleted.
    If the account modification was made the same day as the log deletion, then I am basically out of luck. I have never played with the log rotation using group policy. Do you mind explaining this a little bit to me. Is this what you use, or do you use another 3rd party tool to do your log archiving and rotation?
    Thank you

  4. #4
    Even if the eventlogs have been 'overwritten' with other data you still have a problem because again you are losing important security information that you now require, you may need to look at your log file rotation policy (via Group Policy Management Console) and increase your log file size and change the rotation policy.
    I am not sure about this, but you may also lose admissability as evidence, depending on your location. So that even if they are recovered, they cannot be used in court.

    You may want to check router logs if there are any. If you look at the time that the logs were modified... that will give you a starting point from which you can go through other logs, again, depending on availability.

  5. #5
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    You need to stop the bleeding as soon as possible.

    1) Change the Enterprise Admin account password immediately.
    2) Change all Domain Admin account passwords immediately.
    3) Look through your AD for accounts you did not create.
    4) Look through your Domain Controllers for local accounts you did not create.

    You have been attacked successfully and your DC's are owned. You should be declaring an incident and following your Incident Handling Procedures. If you are a bank or financial institution, you should be on the phone to the Secret Service or FBI. You may just want to call the FBI and let them take a look.

    Git 'er done!

  6. #6
    Member
    Join Date
    Aug 2005
    Posts
    98
    The log rotation would not have helped you if the malicious user deleted the same day, all the log rotation would have done is to stop "accidental over-writing" that is, so many Security Log events being generated that you lose critical data.

    Here is the entry from the Microsoft Threats and Countermeasures Guide about the eventlog settings in GP
    http://www.microsoft.com/technet/sec.../tcgch06n.mspx

    Note these settings need to be considered together for their overall effect not just one at a time

    Other good links:
    http://support.microsoft.com/default.aspx?kbid=323076
    http://www.microsoft.com/downloads/d...displaylang=en
    http://technet2.microsoft.com/window...p/default.mspx

    This will only change the way the logs are handled on the machine, you could then have some form of mail in or backup utility to archive or backup the logs the logs at appropriate times.

    If you have an administrator who has purposly deleted log files though, then the proverbial horse has already bolted, it doesn't really matter what you do, someone with domain admin privileges can always delete log files on the machine. (unless you SERIOUSLY mess with the ACLs which is not something I would recommend you do lightly)

    I agree with rapier57 - this is a serious breach and you may want to get some experts or law enforcement in to chase this up! A review of who has admin access (and perhaps cutting it down for a while) and a good old fashioned "reading of the riot act" to all admins is called for until you can find the culprit.

  7. #7
    Junior Member
    Join Date
    Jun 2005
    Posts
    16
    rapier57: "You may just want to call the FBI and let them take a look."
    LOL! Have you ever called the FBI for an IT attack? My job requires it; and it really is just procedural. Doesn't matter if you have a 10 dollar network or a 10 billion dollar network you are better off just unplugging the network cable than waiting on the FBI.

    The feds can not afford top level IT security staff; next time you have them analyzing your compromised server rapier57 ask them to explain the OSI model to you and listen to the sound of your own heart beating 'cause that is all you will hear. LOL.

    The best advice for the OP, and it has already been given, is to get some pros to take a look. Pros cost money, not everyone has money and that's why so much ownage is still going on.
    sudo

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •