Re: Unknown user found in AD and SonicWall

["Rob" <synja () synfulvisions com>]

Audit logs would be a good start, you can monitor security access and logon events, including IP address for network 
logons. What you find there will tell you where to go next, and where they go with their credentials.

First though, I'd lock down the account a bit to limit possible damage.


Rob
Sent on the Sprint® Now Network from my BlackBerry®

-----Original Message-----
From: Alex Dolan <dolan.alex () gmail com>
Sender: listbounce () securityfocus com
Date: Mon, 2 Jul 2012 15:01:34 
To: <security-basics () securityfocus com>
Subject: Unknown user found in AD and SonicWall

In a recent audit of one of our clients networks, I came across a new
user in active directory, and a dial in access through the firewall.
It was " Syn IT development access"

The Program, Syn, is a legitimate program used by the client, so we
called the developers and they said the port is used on only special
occasions, none of which the client had ever needed.

What I want to set up is a trap-and-trace for the user, see where they
are connecting from and what they're getting up to.

Any suggestions on how to do this? OS is Windows server 2008R2

Thanks in advance

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------