RE: Local Admin

["Vladan Todorovic" <vladantodorovic () beijing-olympic org cn>]

I agree with Steven. Only thing that I would add is that you have different
event log monitors. Some of them are not capable of queuing events before
sending. This means that if hacker can plug out network cable from device he
is hacking and when he finishes his job, he will plug in network cable
again, so from your perspective you will not be notified about hack attempt.


Instead of that, there are log monitors that support queuing, so if it is
not capable of sending alarm to the central server immediately, it will
queue it, and send it later when network is available, so you will get the
final information.

Take a look at free log monitor named SNARE:
http://www.intersectalliance.com/projects/SnareWindows/index.html


I hope this helps.
Vladan

-----Original Message-----
From: Steven [mailto:steven () lovebug org] 
Sent: 02 June 2006 10:43
To: Mohamed Abdel Kader; pen-test () securityfocus com
Subject: Re: Local Admin

Hello,

Let me try a response to your qustion and precursor it with my assumptions 
about your environment.

I am assuming that you are currently in an Active Directory (AD) environment

and that your users are local administrators of their own machines once 
logged into their domain account.  My next guess is that you have a local 
administrator account on each machine and this is the one you are interested

in watching.

To the best of my knowledge there is no way to do this through AD.  The 
local account on the machine is separate from your AD is resides only on the

local installation.  The only way that I know of that you could be notified 
of a change is if you have some kind of additional log monitor.  This could 
alert you to password changes (event id 628) or attempted(failed) changes 
(event id 627).  You might also want to look for account created/deleted 
events in your logs as well.

Depending on the size of your environment and number fo your staff I would 
not say it's unreasonable or impossible to set administrative BIOS passwords

on all of the machines.  This can go a decent way to protecting machines 
from being booted from a CD.  It of course will not stop a determined 
attacker that's in front of the box.

Hope this helps.. just post back if you have more questions.

Steven

----- Original Message ----- 
From: "Mohamed Abdel Kader" <mak.pen () gmail com>
To: <pen-test () securityfocus com>
Sent: Thursday, June 01, 2006 4:58 AM
Subject: Local Admin


> Hello List,
>
> I was wondering if their is a way to monitor if someone changed the local
>
> Administrator, on his/her computer, through an active directory, and how 
> can
>
> This be prevented in large organizations. It is not practical to change 
> the
>
> Bios password on all of the computer and the boot order and lock the
>
> Machines; at least in this case.
>
>
>
> Thanks all...
----------------------------------------------------------------------------
--
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the 
> Analyst's
> Choice Award from eWeek. As attacks through web applications continue to 
> rise,
> you need to proactively protect your applications from hackers. Cenzic has

> the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with 
> a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request () cenzic com for details.
----------------------------------------------------------------------------
--
>


----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to
rise, 
you need to proactively protect your applications from hackers. Cenzic has
the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
----------------------------------------------------------------------------
--


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------