-
May 13th, 2004, 02:50 PM
#1
Users exceeding permissions -- How do you find 'em?
I just came into work this morning, and first thing I see is an e-mail from the boss asking me why Photoshop was installed on our newest terminal server.
Here's the odd thing -- Only he and I, as administrators, have install permission on our terminal servers. So if he didn't do it, and I didn't do it, who could have done it?
None of our employees are anywhere near having the knowledge to hack their accounts to add permissions. But, the only thing I can figure is that somehow, somebody managed to get it installed on there. And if they can do that, then we have a security issue.
SonicWALL logs look clean (other than the one port scan I mentioned in my other thread yesterday), so it doesn't look like anything of concern's going on from the outside.
So, where do I start looking for clues?
-
May 13th, 2004, 03:05 PM
#2
First thing I would do is get any old app, log in as a regular user and try to install it. If it works then there is something wrong with your permissions somewhere.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
May 13th, 2004, 03:06 PM
#3
Hrmm.. Personally I'd start with the time of installation and see if you can find out who logged in during that time period. Also, you might want to ensure that some auditing is in place to log events that are "successful" in what they do and not just those that fail.
What is the OS of the Terminal Server and what other permissions cascade down? (Permissions on directories, etc.) What about "operator" accounts or poweruser accounts?
-
May 13th, 2004, 03:13 PM
#4
As a first; double check your permission set up. You MIGHT have missed something.
I seem to remember that the LEAST restrictive applies on a profile, and it could be there that you have a cross over.............
Cannot remember when it goes to the MOST restrictive. Presumably, the user has just slotted the CD in and set it up ? This suggests (to me) that the permissions are a bit wonky.........
On the files themselves, aren't there ownership details available ? At the least you should be able to determine WHEN the deed was done.
[edit] Damn !!! but my typing is SLOW. beaten to the punch line by MsM AND Tiger, and this time I was in the ball park. Ah Well, there's always tomorrow.........[/edit]
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
May 13th, 2004, 03:16 PM
#5
On the files themselves, aren't there ownership details available ? At the least you should be able to determine WHEN the deed was done.
The boss uninstalled it as soon as he found it. Doh!!
Thanks for all the input guys, that gives me some ideas to start with. It was installed at 1:04 pm yesterday before the boss removed it 6:45 that same evening.
-
May 13th, 2004, 03:19 PM
#6
I installed it, you ungrateful bastard!
Oh and the back doors and trojans, whilst I was at it
OK....Serious now,
1. If it has been loaded onto a server, rather than a desktop, it is for shared use?
2. Who would use such an application
3. Is your "boss" a for real "boss" or only in his dreams
4. Go and kill one in ten in Marketing/Sales/Publicity, until one of the little toads squeals?
If someone with a budget gets in outsiders, and there is money involved....you will find it in the morning
Maybe keep quiet and log who tries to access it?
Maybe get a boozing buddy go find you a nice 9mm.....and your wife go out of state and get you a couple of boxes of 50?
Sorry old chap, I think that you have been undermined at a higher level?
/me smell treason
-
May 13th, 2004, 03:38 PM
#7
If memory serves correct, I go into the security section of Event Viewer to see logon times, right? Well, the security portion is completely empty of an entries.
Ok Nihil, on those points:
1) That's usually the case with any program installed. Ufortunately, now that it's been removed, I'll never know.
2) That's one thing I want to know. Not many. Actually, pretty much me and the president, maybe the HR manager.
3) He's very much the real boss, prez of the company.
4) Kill....kill....
-
May 13th, 2004, 03:42 PM
#8
As Foxyloxley noted another way to find out who installed it is by looking at the ownership of the files. You're scewed if it's administrator though.
Edit: AFAIK there's no real need to "install" photoshop. You can just drag 'n drop the program dir and it will function.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 13th, 2004, 03:45 PM
#9
You don't have security logging enabled. It's not a default setting. If you have access to the AD use a domain policy to enable logging on all domain objects. Or just turn it on the server.
//edit let me know what you have access to and I'll show you how to enable it. Domain policy is best.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
May 13th, 2004, 03:48 PM
#10
Is there a way I can still see those files since it's all been uninstalled though?
RoadClosed -- I have full administrative access.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|