1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Windows Security Monitoring

Discussion in 'Computer Security' started by GW, Jan 28, 2007.

  1. GW

    GW Byte Poster

    119
    4
    39
    Recently the company I work for one of our main websites was defaced by a Dutch crew and when only found out about it right away is because they reset the IIS which set off an alarm. While the alert cleared the Operations person by chance checked the web link and discovered that it was defaced.

    If it wasn't for that check we would not have known that we have been defaced till an outside customer would tell us.

    What I would like to find is something that is free (no budget) that will keep an eye on the Windows Servers to see if they have been compromised and notify me. There are tools that I can run for that but I want something that is always checking so when it does find something we can check into it right away (since Operations is staffed 24/7).

    Any ideas?

    GW
     
    Certifications: MCP x4, CompTia x3
    WIP: Cisco CCNA
  2. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    The obvious way is a trigger on files changing in a directory.

    But I'm a bit depressed that you think it will happen again. Why not harden the servers so it doesn't happen? In my company if this happened twice the server guy would suddenly find himself out of a job. :biggrin

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  3. GW

    GW Byte Poster

    119
    4
    39
    I'm looking at 300+ servers and the company was never really into the whole patching and securing thing. All was done was slap servers into the datacenters and rake in as much money as possible.

    Now that the company has been merged with another company and we got their management running the show the views have changed so now they are looking into security.

    Hardening of the servers is one thing that I'm going to be bringing up but it is going to take time testing out to make sure it is not going to cause problems with the custom applications that the web developers have written that are running on the servers and with all of the things that are going on I have to do the band-aid method for the next couple of quarters until things settle down.

    But in the almost two years with the company this is the first defacement that we had, usually the servers get hacked and turned into warez servers.

    GW
     
    Certifications: MCP x4, CompTia x3
    WIP: Cisco CCNA
  4. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,623
    115
    224
    Ah! I see your problem! Perhaps I'm lucky in that my company has always taken security and patching fairly seriously. :biggrin

    And I wouldn't mind betting that those 'custom apps' will have vulnerabilities - and those can sometimes be a nightmare to fix.

    Surely as a start you might be able to determine the mechanism of each break-in and patch that? Or are you spending too much time in "fire-fighting" mode? <grin>

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  5. GW

    GW Byte Poster

    119
    4
    39
    Right now I'm busy just trying to get a fire break going. The security project is on the slow track right now because I just found out that they installed quite a few more servers in the datacenter and there is no documentation on the names or IPs or even what rack they are installed on.

    So this next week I'm going to have to go to the datacenter to take an inventory and then try to figure out all of hte IP addresses and subnets since the previous engineers took segmenting to a whole new level (of chaos).

    After that I have to figure out why some engineeers can log onto some servers and not others while other engineers can log onto the servers that others can't get on and so forth.

    I'm finding out the reason that this datacenter is in the state that it is is because the previous engineers chose to ignore it because it wasn't a huge money making product. Sad part is now it is growing rapidly with projected growth of doubling every other month.

    GW
     
    Certifications: MCP x4, CompTia x3
    WIP: Cisco CCNA

Share This Page

Loading...