The following question and answer thread is excerpted from ITKnowledge Exchange. Click here to read the entire thread or to start a new one.
A user identified as Mouse 3333 posed this question:
have a rogue user who knows more than she should. She can grant herself and others the authority to access secure files. How can we monitor her activity to review what she has done? We believe she is using several different user IDs. We have come across a couple and have changed those passwords. Is there anything else we can do to stop her?
A user identified as Layer 9 advised:
There are some products that allow you to restrict users internally, but you really have to know what you are doing to use them. In order to stop this power user from circumventing your network's security, you will need to bring in a security consultant, because it is clear that this user knows more than you do about network security. Other than hiring a consultant, there are some technical steps you can take as well. Assuming your Layer 2 network is a Cisco or other SPAN-compliant vendor, doing the following will likely reveal what she is doing:
- Trace back from the desktop to the actual switch port her workstation is connected to. If you don't have a current wiring diagram or a coding system, you can use a cheap toner to trace back to the switch. Then trace back your own desktop to the switch as well. I am assuming they are plugged into the same switch, if not you'll want to plug a laptop in from inside the wiring closet.
- Once you have the port number on the switch, log on to it, enable SPAN and set the port you are plugged into as the Monitor Port. Then set the port that the suspect's system is plugged into as the Monitored Port.
- At this point, download Ethereal, (you can also use Sniffer or Etherpeek if you have it) and install it on the desktop. Set a filter in your protocol analyzer to filter to all other systems on her MAC or IP. Examine what the packet captures about the activity between the suspect and the logon servers – particularly, with the system or systems where the accessed files are stored. These packet captures will show you what she is doing to get in or at least point you in the right direction.
If you don't have a switch that supports SPAN, it's time to upgrade the network. If what I suggest sounds foreign, then you should consider hiring a consultant.
A user identified as Solutions1 advised:
First, make sure your procedural and policy ducks are in a row and carefully adhere to those guidelines. Second, evaluate your priorities. If you suspect that that one end user acquired "super user" access, then perhaps your priority should be to rebuild your access control structure, because one "known" violation suggests that there could be others. Third, get management support at an appropriate level before you proceed with your capture and detection measures.
A user identified as Bobkberg advised:
Here are some other steps you can take to mitigate this risk:
- If you are in a Windows environment, list out all of the members of the administrators group and check their login history. Turn on security auditing for logins and for system/file/folder access for likely machines -- then check regularly.
- If you are in a Unix/Linux environment, check all user and group IDs for root equivalence or root group membership. If you learn more about the initial situation, regularly check for login time/date as well as where it occurred. If you are using Network Information Service, check all user IDs there also.
Here is the bottom line -- if you don't receive management's support, e-mail them about the matter clearly and keep their response. It will be your "Pearl Harbor" file.
A user identified as ChinaBJ advised:
I suggest you use a combination of IT rules and technical methods to prevent this from happening again. Seek help from top management personnel to establish and implement IT rules. As far as technical methods are concerned, you can install a remote control client on the suspect's computer from the server and log her actions. If you have Windows 98 sharing, stop it. It is also necessary to stop Windows 2000 server's support for previous Windows authentication. Third, you should implement IPsec to encrypt the communications that take place on your server.
A user identified as This213 advised:
I agree with Layer9, you should consider hiring a security consultant. I also think she may have gotten her hands on someone's password. While you have received some sound advice, I find it interesting that there has been no mention of the authentication mechanism in use or what OSes and other resources are involved. There may be options available to you that would not require approval from anyone (depending on your role and your company's policies).
Once you know what resources have been accessed -- whether they are files in a file system or user changes in Active Directory -- you should be able to trace those who have accessed them. If you're not logging accesses to resources, I strongly encourage you to. If you're in a Windows environment, there are tools for this. If you're in a Unix/Linux environment, the tools are most likely already in place.
I suggest you have your network penetration tested, both externally and internally, even if it does turn out to be just a corrupted password. You never know how strong something is until you try to break it. Plenty of companies out there do this.
Also, make sure you document everything. Create a situation file, collect hard copies of all the logs about the affected systems, and place them in the file. Then, document your actions to remedy the situation and put that in the file. Send e-mails to your superiors and detail the situation as best as you can. Inform them of the file and its location, and explain how they can view a *copy* of its contents. Place the e-mails that discuss the situation into the file as well. Note that I said a *copy* of the file, always follow the maxim: CYA. Finally, make sure that anyone (management, auditors, etc.) can access the file, so they can read about the entire situation themselves -- as Bobkberg said, it's your "Pearl Harbor" file.
A user identified as SidZilla advised:
Don't overlook the non-technical solutions. I would make sure HR is on board with the fact that circumventing security is a fire-able offense, then take the offending employee to HR and ask her what she is doing, how she is doing it and most importantly, why she is doing it. If she doesn't answer all three and agree to stop, fire her on the spot.
This was first published in February 2009