The Ethical Hacker Network - Need to determine the computer a user account is coming from

Latest Additions

Who's Online

EH-Net News Feeds

Latest Additions

zeroflaw

Full Member

Offline

Posts: 184

Re: Need to determine the computer a user account is coming from

« Reply #15 on: March 05, 2010, 04:07:21 PM »

Quote from: JerichoJones on March 04, 2010, 11:46:35 AM

I can the username and ip from the security log but there is no way to tie them together conclusively.

Quote from: JerichoJones on March 05, 2010, 01:21:27 PM

The crux of the issue is:

Nothing in the event log ties a user to a computer. If I have the Same ID logging on at the same time there is no way (that I see) to tie them together conclusively.

You can get the user name and IP from the logs. You can tie the IP to a certain computer. Then you know the computer and user that were used to delete the files on the server. You won't see that in the logs (as you said), but you can tie them together using the commands that were mentioned earlier in this thread. You still won't be able to see who actually did it though.

Maybe you can somehow monitor network activity and see who's doing it. But you would have to come up with something to capture the event and make some kind of alarm go off, then quickly check who's at the computer. This means you would have to catch the guy in the act.

I would just permanently ban shared accounts. You won't catch the guy responsible, but you will prevent this from happening again. I know you said you're not allowed to change it, but still.


	Logged

unsupported

Sr. Member

Offline

Posts: 318

Unofficial Newbie Moderator

Re: Need to determine the computer a user account is coming from

« Reply #16 on: March 05, 2010, 06:39:25 PM »

Quote from: awesec on March 05, 2010, 01:27:16 PM

If the scenario is that many different persons use the same user account on a computer, then there should be hardly a possibility to determine which person is at the moment using the account. One solution would be a webcam which is enabled or some sort of spy cam. If you know each person very well you could analyze logs and look for visited websites etc. as you could maybe match it to a certain person.

Wow, those are all good suggestions! I wish I would have thought about that.

(I'm just teasing you)


	Logged

-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP

Ketchup

Hero Member

Offline

Posts: 1006

Re: Need to determine the computer a user account is coming from

« Reply #17 on: March 05, 2010, 07:33:25 PM »

I just ran a small experiment, and the IP or Computer Name did NOT appear in my Object Access audit logs. Only the user name was available.

Here is what I would do:

1. Make a business case why shared user accounts are ridiculous.

2. If you fail at number 1, deploy some sort of host-based IDS to monitor sensitive directories. (Tripwire, GFI, etc).

3. Write something yourself.