RE: Please assist, tracking or IDS options.

[Jehad]

Run User Manger Go to Policies Menu Select User Right Select Force Shutdown from a remote system from Rights list Remove all the groups and users form Grant To list   But if that guy got the administrative privileges he can change this right again You can audit security policies changes in user manger to catch him/her       -----Original Message----- From: David Ng [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 3:57 AM To: Joe Vasquez; [EMAIL PROTECTED] Subject: RE: Please assist, tracking or IDS options. Importance: High   Guys,     All routers are secured and there is no IDS logging turned on. As with NT security Logging, the major issue is I believe the individual that instigated the attack was within the company and that he knew the access passwords to come into the system as an authorised personnel. I believe the individual is currently still working for this company and is launching his attacks randomly. I wanted to know if there is a good way of catching the person/workstation/IP/anything that would point to the direction of who possibly might be the culprit behind these attacks.     The problem is because there are a number of Interstate sites and all sites are private and do not have a public address on any server, thus I believe it is done internally. Also when I was onsite looking at the server, it started to do a typical NT "restart" on me right before my eyes. I can see that the server was shutting down all its services and I even saw the Restart button for a split second before it completely rebooted. This occured in succession to 3 NT Servers with around 2-3 minutes time difference. The incidence went on 3 times on each server consecutively.     Can you guys suggest the best and optimal way to catch the culprit? (Hopefully with minimal costs incurred from IDS or any other tools to do so.). I believe the individual will strike again and I believe even if the passwords were changed, the individual is a person with authority to obtain the passwords anyway (they would be given that Admin password as I believe this was done by one of the IT staff internally - just do not know who it might be and from which state).     Please advise as this is something foreign to me, comes across as some James Bond stuff in IT. Thanks for any suggestions, as I have been given the ok and mandate to do something or recommend something to get to the bottom of this from the Managers. Please advise and thanks in advance.         -----Original Message----- From: Joe Vasquez [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 10:25 AM To: David Ng; [EMAIL PROTECTED] Subject: RE: Please assist, tracking or IDS options. Do you have a firewall, router or IDS with logging turned on?   Do you have security logging turned on in your NT server and any workstations on your network?   You may want to mention what security solutions that you have in place.   Joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Ng Sent: Tuesday, October 23, 2001 5:14 PM To: [EMAIL PROTECTED] Subject: Please assist, tracking or IDS options. Importance: High Dear all,     We have a NT network that was hit the other day, in the sense that it was remotely shutdown by an individual somehow. The person might have the passwords and also sound technical expertise in remote utilities. Is there a way for me to trace where the traffic was coming from that day and what IP address? Also, is there a way to automatically capture the screen if it was remotely controlled?     Please advise, thanks in advance.     Sincerely,       David Ng