Window Xp Admin account

[VoDanhLangTu]

hello,
I am a new admin in a small libary, all users used limited acounts. But I am not sure if they know my pass or not. How do I know if somebody have used my pass and logged in and did some stuff in the computer? Thank you.

[DjM]

Originally posted here by VoDanhLangTu
hello,
I am a new admin in a small libary, all users used limited acounts. But I am not sure if they know my pass or not. How do I know if somebody have used my pass and logged in and did some stuff in the computer? Thank you.

1) If you think someone has used your admin account, change the password!

2) Check all user accounts to ensure they are set-up as normal users not part of the administrator group.

3) Search google for some trojan scanning software, install it and run it to check for trojans and keyloggers.


Cheers:

[PoSer]

um change your password and see who complaines.
install a keylogger and look at what is getting typed into your machine on the admin account when you are not there.

[mohaughn]

You should turn on auditing for account logins. Then you can easily see in the security log, who logged in when.

I would not install a key-logger unless you know for a fact that you can legally do so. It would not be legal to install a key-logger on a library computer in the US without giving the user specific notice that you were doing such. Whether is it a public/corporate/school library changes the law dramatically.

[XTC46]

Im guessing that changing the password is your best bet, also makesure you have a password set for the admin account that you access through safemode, because if they get to that you may as well not have a password on any account. Also if you wanna go see if anythign major was changed just go look, your the admin, you can do that kinda stuff, lol oh well gl

[thehorse13]

You should turn on auditing for account logins.

Absolutely correct.

One other thing I would do is add a third party syslogd service so that you can correlate all the logins on a single box.

Here is my favorite free syslogger for Windoze:
http://www.kiwisyslog.com

would not install a key-logger unless you know for a fact that you can legally do so.

Again, absolutely correct. Do not even *think* about doing this in a library. You will be sued faster than Grant went through Richmond (anyone doin their history homework out there? )

Seriuosly though, we just went through a similar exercise with censorship at a library that we service. Bottom line: Public facility = zero unannounced monitoring.

--TH13

[catch]

(Depending on your setup these may need to be made in the domain controller and domain security policies as well.)

1. Disconnect the system hosting the admin account (I assume the PDC) from the network.

2. Review active directory users and groups > builtin > administrators > properties > members.

3. Auditing, at least: group policy > computer configuration > windows settings > security settings > local policies > audit policy

Audit account logon events: success, failure
Audit account management: success, failure
Audit policy change: success, faulire

4. key stroke recording:
group policy > computer configuration > windows settings > security settings > local policies > security options >

Message title for users attempting to log on: Notice:
Message text for users attempting to log on: Some legal message that suits you exact needs but should cover that you are making use of all auditing techniques availible to you, including but not limited to keystroke recording. Also discuss that the logs from the audits may not only be turned over to any law enforecement agency you see fit in the event of a compromise but also the log data may be reviewed by library personel during routine system upkeep.

5. change the admin password

6. logon to each client system with the new admin account (this is only needed if clients have logon cache enabled)

there are more extensive guides availible from places like cert:

http://www.cert.org/tech_tips/win-UN...ompromise.html

which include things like reviewing for trojans and what not, you may wish to talk that route, but if you just feel that someone has the admin password the 6 steps I gave you should be comprehensive enough to fix the problem and track down the culprit as well as prevent future such issues.

best of luck,

catch

Edited:
I just noticed that you are in hong kong, the legal notice about key logging may not be needed.

[VicE$DoS$]

Hi VoDanhLangTu?? and AO'ers,

I,ve just come back from a week in portugal, Excuse the Tan.

On a slightly even more non technical note;

I recently did a project for a library here in England, amongst the various broken things we had to fix (everything from the trust between two domains to a dodgy scanner) I discovered that someone was using the Admin password to get free internet access.

In order to get a vague idea I enabled a keylogging feauture in one of the computer associates product they already use (think it was CA's Etrust Intrusion Detection) which they were only using as a URL filter incidentally. In order to get round the whole privacy / legal issues we re-printed the 'acceptable use policy' notice and put it back on the notice board where its always been. Deliberately making it as plain and boring looking as possible. Size ten font, black and white. The person doing this really l337 hax0r1ng obviously being a regular user didnt bother to check the notice board and just signed into the book as usual. BANG! Caught and banned the from the library forever. LMAO all week.

I think the US privacy laws are better inforced and far stricter than anything in the UK yet, but it might just work. I know its not neccessarily the moral thing to do in a situation like this but my view is if the guys a thief then screw him, the little bitch shouldnt have rights anyway.

Cheer$
Vice$Dos$

[nihil]

Hi, you have had some very good advice which I would go along with.

You sound as if you have had a total security failure, though? If they had the admin password, they could have done all sorts of things?

The text book answer is to delete the lot, re-format and re-install. I imagine that this is not an option, so we shall have to "fight them in the jungle" so to speak.

They may have installed back door or RAT programs, so you really need to do a Google search for AdAware6.0 and SpyBot Search & Destroy. Download, install and update these and run them. If they see a "bad guy" let them kill it.

You might also get the 30 day trial of "Pest Patrol" and run that

You MUST have an up to date anti virus application, that you also must run.

Good Luck