Security Basics mailing list archives
Re: Tracking down anonymous user
From: "Dani Houpt" <dhoupt613 () gmail com>
Date: Sun, 31 Dec 2006 10:11:48 -0500
What about admin service accounts? Often times, applications require the creation of an admin account to run in the backround (i.e. exchange, sql, etc. ). Shouldn't more than one person know that password for redundancy? -Dani Houpt On 12/29/06, tima soni <tima.soni () gmail com> wrote:
Hi Mike, You may try to add another layer of authentication where in a user supplies his/ her credentials before accessing any shared resource. We have this implemented in our environment... Passwords should never be shared. So you should also work on defining and implementing a policy where in you can question the accountability of any user using any account. Every user accessing any asset with in your organization should have his/ her own unique user ID. Regards Tima -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of mikef () everfast com Sent: Wednesday, December 27, 2006 2:37 AM To: security-basics () securityfocus com Subject: Tracking down anonymous user I'm trying to track down an internal user who is sending email under a different user account to hide his/her identity. Scenario: I have a domain user account that about 15 people know the password to. Someone logged on using this account and sent a message to a manager and because of the content of the message I'm 100% certain that it's an internal user; not someone spoofing. As a matter of fact it's definitely someone in the IT department. Is there a way to track down what computer (IP address) was used to send the messages? The incident occurred a couple of days ago so I'm hoping I can still track down the user. I'm using exchange server 2003. I've check the exchange log files, SMTP files from my SQL servers, and checked the recipient header (there was no header info), but I'm not getting anywhere. If I can't get them this time what can I do to catch them the next time.
Current thread:
- RE: Tracking down anonymous user Murda Mcloud (Jan 02)
- <Possible follow-ups>
- Re: Re: Tracking down anonymous user levinson_k (Jan 02)
- Re: Re: Tracking down anonymous user tima . soni (Jan 02)
- Re: Tracking down anonymous user Dani Houpt (Jan 02)
- RE: Tracking down anonymous user David A. Coursey (Jan 02)
- Re: Tracking down anonymous user Mat Benwell (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- Re: RE: Tracking down anonymous user christopherkelley (Jan 02)
- RE: Tracking down anonymous user Scott Ramsdell (Jan 02)
- Re: Tracking down anonymous user killy (Jan 02)
- RE: Tracking down anonymous user Tom Geairn (Jan 02)
- Re: Re: Tracking down anonymous user mikef (Jan 02)
- RE: Tracking down anonymous user Gressick, Michael (Jan 02)
- Re: Re: Re: Tracking down anonymous user christopherkelley (Jan 04)