Sucsss Audit - have I been hacked ?

J

Jay B

I'm a security neophyte... I need some advice here as to whether I
found something bad in the Security Log.

My server was in a location where it was not physically secure.
When I got back to it today, I took a look in the Event Logs to see
what might have been happening while I was gone. In the Security Log
I found only _one_ event "Success Audit". What worries me is that
the detail shows "The audit log was cleared"... the event ran
as primary user "System", client user "administrator".

Is this a "normal" event? I admit to know nothing at all about
security audit process. Does this indicate that the audit log was
manually cleared by someone or is it the normal output of the
system audit process ?

Thanks,
Jay
 
L

Lanwench [MVP - Exchange]

Jay said:
I'm a security neophyte... I need some advice here as to whether I
found something bad in the Security Log.

My server was in a location where it was not physically secure.
When I got back to it today, I took a look in the Event Logs to see
what might have been happening while I was gone. In the Security Log
I found only _one_ event "Success Audit". What worries me is that
the detail shows "The audit log was cleared"... the event ran
as primary user "System", client user "administrator".

Is this a "normal" event? I admit to know nothing at all about
security audit process. Does this indicate that the audit log was
manually cleared by someone or is it the normal output of the
system audit process ?
Click to expand...

Someone manually cleared it. This does not happen on its own.
 
C

Colin Nash [MVP]

Jay B said:
I'm a security neophyte... I need some advice here as to whether I
found something bad in the Security Log.

My server was in a location where it was not physically secure.
When I got back to it today, I took a look in the Event Logs to see
what might have been happening while I was gone. In the Security Log
I found only _one_ event "Success Audit". What worries me is that
the detail shows "The audit log was cleared"... the event ran
as primary user "System", client user "administrator".

Is this a "normal" event? I admit to know nothing at all about
security audit process. Does this indicate that the audit log was
manually cleared by someone or is it the normal output of the
system audit process ?

Thanks,
Jay
Click to expand...

It looks like someone who knows the password to the built-in "Administrator"
account cleared the log. Was the date during the timeframe that you were
away? Do you have any auditing enabled? If not, its normal for the
security log to be empty.
 
S

Steven L Umbach

Yes someone cleared the security log at the time indicated. I would immediately
change the administrators password and check the membership of the local
administrators group on that server to make sure that only authorized users are
members and reset their passwords. You need to physically secure that server. At the
bare minimum configure the cmos on it to only allow booting from the hard drive,
disable usb ports if possible, and password protect cmos settings. Then you will need
to lock the computer case. There are devices you can use to lock an existing case if
it has no lock but ideally you want a sturdy computer case that locks internal access
and locks access to the drives. It is very easy to boot from a floppy or cdrom and
reset the built in administrator account. The link below has more on basic security
procedures for a small business. --- Steve

http://www.microsoft.com/smallbusiness/gtm/securityguidance/hub.mspx
http://www.microsoft.com/technet/security/guidance/secmod144.mspx --- detailed info
on auditing.
 
O

Oli Restorick [MVP]

I agree, but I will add that just checking the membership of the local
administrators group may not be enough. The user rights assignment gives
plenty of room for somebody having a high level of access to a server
without being spotted quite so easily, so this should be checked as well.

Oli
 
S

Steven L Umbach

Quite right. If there is not a good explanation the user should consider it a
compromised server and act accordingly which should mean the server be rebuilt and
secured, but that is his call. --- Steve
 
R

Retro Bob

Quite right. If there is not a good explanation the user should consider it a
compromised server and act accordingly which should mean the server be rebuilt and
secured, but that is his call. --- Steve
Click to expand...

Thanks for all the help. I'll do some more physical security on this
box.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Audit Policy 4
audit 3
audit folder/file delet 3
Change in Security Account Manager 2
Auditing / Event Log Entries... 4
Auditing Logons and Logoffs 1
537 errors due to manual services being started 0
Audit Failures 4

Top