Angelic: Can I just clear one thing up?
Is this Term server accessible from the public network or is it an internal only "thing"?
Printable View
Angelic: Can I just clear one thing up?
Is this Term server accessible from the public network or is it an internal only "thing"?
Everyone on the LAN has access to the terminal server. Most employee work is done on the terimal server as opposed to on their local machines. Those who connect from home, outside the LAN, also have the ISP of the terminal server so they may do so.
No one but employees have access though.
I meant do you have access to change domain level security in active directory, more like are you using active directory? I will assume so:
Ok let's see how my memory is. In active directory users and computers right click domain controllers and select properties then go to Group Policy. Edit the default domain policy listed since you probably haven't customized any.
Drill down to windows settings/security settings/event log and set the attributes you want.
While you are there you can see all kinds of setting to be played with on other objects. Just be careful you don't lock things out and make a handwritten log of every change you make. Peace.
//edit Well my memory sucks, don't drill into the even log go above it to /Local Policies and play with the audit policy. If those are all turned on you should see something in the security log. It won't log application installs I don't think, perhaps someone else can comment. Unless it's to a protected directory. It should audit priveleged changes to the registry though? Not sure. This is a reason aslo to never allow admins to share common credentials. Like having all admins use "administrator" it should be removed or changed to something protected. Etc.
I never like seeing sweeping statements like that in this field......Quote:
No one but employees have access though
Are you saying that because all your users are using the same ISP the TS is not available from outside teh ISP, (ie. they have port 3389 blocked at thier firewall inbound)? Have you ever tried to get to the TS from somewhere else in the world?
I understand your point about your users not being the sharpest knives in the drawer but never underestimate them either, (one of them got Photoshop on your TS... ;) ). With TS you have to allow them to login through TS in their AD account. This means that if they can get to the TS from anywhere then they can log in. So actually, a user who you don't have set up to log in from home but does have access to the TS server internally also has access from home if they use WINXP and know the address.....
That aside though, from the timing of it it looks like a user messing around on their lunch break. If no installation is required as SirDice said then there wasn't much you could do to stop it other than making policies about which programs can be run on the box and block all others but that is very restrictive and can be very time consuming if you install something like office because it relies on so many things to run and it takes you weeks to track them all down.
Get a proper audit policy going is the best advice I can give at this point. Since there was no harm done I would put it down to experience and write an acceptable use policy that includes a part that says no-one can install any software on any machine without the prior permission of the MIS.
Just an off the wall comment...
Is physical access to the server easy?
Could it have been left logged in?
Steve
This is a really, really really stupid question.Quote:
newest terminal server.
Did photoshop elements come with the new box?
Just curious...
Another question: Do you know what version of Photoshop was installed? Maybe a cracked copy that doesnt edit the registry? (And therefore bypasses permisssions)
Tiger -- I don't know of any way to access the TS without using the ISP if trying to connect from outside the LAN. The TS can indeed be accessed from other locations (for example, our CEO is currently using it from the Virgin Islands). Definately agree with your point about not underestimating users too. No worse enemy than complacency.
Steve -- The server room is upstairs and, unfortunately, is inbetween offices, so there's quite a bit of traffic through it (note: I didn't set it up this way!). However, no server is ever left logged on and unattended to. The only way this could have been pulled off yesterday would have been for someone to whisk in and do a mad fast installation while I had stepped away for a couple of minutes to tend to a copier problem. I don't think a Photoshop installation could be done that quickly though.
Soda -- Photoshop indeed did not come with the box. No question's stupid though. Even the best of us miss the obvious from time to time, especially me!
Jarrod -- I have no idea. The boss uninstalled it soon as he found it, so I have nothing to look at.
Well, I looked through all the accounts in AD, and everything looks as it should be.
I also tested out normal user permissions by logging on as another normal user...I couldn't install anything...hmm, I think I'm stumped.
No Angelic~
Kill "human remains"......the ultimate scapegoats, no-one will ever hate you for it ;)Quote:
maybe the HR manager
Your boss acted a bit prematurely, I would say?....have a talk if you want to "catch" them in future......hell we are talking about an app, not malware?
good luck