|
Posted by Rodo on October 25, 2006, 2:41 pm
Please log in for more thread options sounds good. you're using Micrsoft's Log Parser from IIS 6 RK Tools?
> You can audit all executables and know when someone runs them, but you
> wouldn't know the actual parameters used on the command line.
>
> But yeah, Roger is right, there's not much more you can do other than
> install a keylogger or a good host monitoring application.
>
> As a side note about the effects of commands, I do have several
> tightly-controlled servers where I need to know EVERYTHING that happens on
> them. I have a log parser script that e-mails me a report every 24 hours.
> That report includes all new logins, all executables run, all Windows
> firewall events that involve new opened ports, a list of all objects that
> were accessed (excluding a few high activity dirs), Windows Defender
> events, all failed audits, and a few other misc events. It also lists any
> errors or warnings that appear in the event logs (filtering out some
> non-important events that often show up).
>
> The reports are shorter than you'd think and it just take a moment to scan
> for irregularities. It is highly unlikely that anything would happen on
> those servers without me knowing. This is a good example of monitoring the
> effects of commands. I don't know exactly what someone did at first, but
> it alerts me that something has happened.
>
> This is particularly effective for monitoring outside attacks because no
> matter what methods they use, their targets will always be the same.
>
>
> Mark Burnett
>
>
>
>
>
>
>
>>
>> >A trace of commands. From what you said in your previous post, I
>> assume
>> >results of command would show through auditing objects.
>> >
>>
>> "results" only indirectly
>> For example, as admin if I issue
>> xcacls c:\temp /e /g users:f
>> the results are changes in NTFS permissions on c:\temp
>> and that acted-on object would have to be auditied to see
>> the results.
>> I am aware of no way, short of putting keyloggers on all
>> admin usable workstations/servers, that you can get an
>> record of all commands issues by admins (not to mention
>> that some UI tools do not really issue commands underneith
>> whereas others do).
>>
>>
>>
>>
>>
>> >> So you want to have a trace of the commands, or of the
>> >> effects resulting from the commands ?
>> >>
>> Windows server hardening
>> >>> Are system administrator commands traceable back to an individual
>> user
>> >>> ID?
>> >>>
>> >>>
>> >>
>> >>
>> >
>>
>> >
>
| 
XML Sitemap