Networking / Beginners

Looking for Suspicious Signs

There are several indications that something on a Windows 2000 system might not be quite right or that someone may be doing something he should not be doing.

Brute-Force Attempts

If someone is attempting to guess account passwords (manually or through the use of an automated tool), the security event log will have entries showing failed login attempts. In addition, if the system has been configured to lock out accounts after a certain number of failed login attempts, there will be a number of accounts that are locked out. Failed login attempt messages in the security event log will provide the name of the workstation where the attempt originated. This workstation should form the beginning of your investigation to determine why the failed login attempts were occurring.

NOTE: The type of investigation that is begun should depend upon the source of the attempts. If the source is internal, it may be appropriate to find the employee who uses that workstation and speak with her. If the source is external, it may be appropriate to block access from the source IP address at the firewall.

Access Failures

Access failures may indicate an authorized user who is attempting to access sensitive files. Some single failures may be innocent mistakes. If you find a single user who has logged access failures on a large number of files or directories, there is cause to ask why the attempts were being made.

NOTE: The information in the security event log provides a record of the failed attempts. It does not constitute proof that a particular employee was attempting to gain unauthorized access to information. These log messages can be generated by processes that are attempting access without the user's knowledge or they could be generated by someone using the user's account or system. Never assume that the log records provide sufficient proof to accuse an employee of inappropriate actions.

[Previous] [Contents] [Next]