You could also setup a host IPS on the affected server. OSSEC is an open source HIPS that will also monitor logs and alert in real time when defined events occur. I've been faced with similar situations over the years. The thing to get management to understand is that the network and servers are property of the company, not the vendor. The vendor must comply with proper security defined by your IT dept, not by the vendor.

Keith

Sent from my iPad

On Jul 2, 2012, at 2:30 AM, "Matan Hirom" <matan (at) hirom.co (dot) il [email concealed]> wrote:

> Hey alex,
>
> First, Try to audit specific logon events on the DC's. you might want to
> use an automatic task to collect the logs. That way you can see what the AD
> user have been up to.
> Second, what firewall do they have ? did they established a log server for
> it? If so, try to correlate between the FW log and the AD log.
>
> In a future look, you might want to suggest your client to establish "Honey
> Pots" over the network. For example - monitoring an AD user with Domain
> Admins permission and a weak password.
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
> Behalf Of Alex Dolan
> Sent: Monday, July 02, 2012 10:02 AM
> To: security-basics (at) securityfocus (dot) com [email concealed]
> Subject: Unknown user found in AD and SonicWall
>
> In a recent audit of one of our clients networks, I came across a new user
> in active directory, and a dial in access through the firewall.
> It was " Syn IT development access"
>
> The Program, Syn, is a legitimate program used by the client, so we called
> the developers and they said the port is used on only special occasions,
> none of which the client had ever needed.
>
> What I want to set up is a trap-and-trace for the user, see where they are
> connecting from and what they're getting up to.
>
> Any suggestions on how to do this? OS is Windows server 2008R2
>
> Thanks in advance
>
> ------------------------------------------------------------------------

> Securing Apache Web Server with thawte Digital Certificate In this guide we
> examine the importance of Apache-SSL and who needs an SSL certificate. We
> look at how SSL works, how it benefits your company and how your customers
> can tell if a site is secure. You will find out how to test, purchase,
> install and use a thawte Digital Certificate on your Apache web server.
> Throughout, best practices for set-up are highlighted to help you ensure
> efficient ongoing management of your encryption keys and digital
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727
> d1
> ------------------------------------------------------------------------

>
>
> ------------------------------------------------------------------------

> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------

>

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]