Annita,

What sort of 'accounts' are you accused of creating?

Regards,
Capt.Crazy

"Annita" > wrote in message
...
> I've been suspended from work 'cos I was accused of creating some accounts
without going through due procedure. I did not create the accounts. Even
if someone knows my user admin password shouldn't they be able to tell from
the security log:
> a) which machine they were logged into ('cos it can't have been mine, via
the IP)
> b) what time and date it was done (and compare it to when I was on my
machine)
> c) could someone have manipulated the security logs and is it traceable
> d) what other possibilities should I be investigating, as to how someone
has used my machine & does it help me if my company has key stroke logging?
>
> I have to go in on Friday to discuss this & I'd really appreciate some
help
>
> Thanks
>

Annita wrote:

> I've been suspended from work 'cos I was accused of creating some accounts without going through due procedure. I did not create the accounts. Even if someone knows my user admin password shouldn't they be able to tell from the security log:
> a) which machine they were logged into ('cos it can't have been mine, via the IP)
> b) what time and date it was done (and compare it to when I was on my machine)
> c) could someone have manipulated the security logs and is it traceable
> d) what other possibilities should I be investigating, as to how someone has used my machine & does it help me if my company has key stroke logging?
>
> I have to go in on Friday to discuss this & I'd really appreciate some help
>
> Thanks

All of the things you mention are worth looking into. About the only thing that would definitively exonerate you would be a combination of (a) a determination of what machine was used to commit the offending acts at what time with (b) some
physical security information (for example, logs of an id device used to sign into and out of the building) showing that you could not have been sitting at that machine at that time. As far as manipulating security logs in an "untraceable" way --
anything is possible with the right access and knowledge.

In any case, "if someone knows your user admin password" that in itself might be justification for suspending you. It all depends on the level of security desired/required.

Annita:

You are asking in the wrong location.

You need to post this in an appropriate Security News Groups such as;
microsoft.public.security and/or alt.computer.security where security experts can
analyze the problem and assist you.

Dave



"Annita" > wrote in message
...
| I've been suspended from work 'cos I was accused of creating some accounts without going
through due procedure. I did not create the accounts. Even if someone knows my user admin
password shouldn't they be able to tell from the security log:
| a) which machine they were logged into ('cos it can't have been mine, via the IP)
| b) what time and date it was done (and compare it to when I was on my machine)
| c) could someone have manipulated the security logs and is it traceable
| d) what other possibilities should I be investigating, as to how someone has used my
machine & does it help me if my company has key stroke logging?
|
| I have to go in on Friday to discuss this & I'd really appreciate some help
|
| Thanks
|

Accounts = XP user accounts

Thanks for your help, the CCTV outside the building might be useful. I think it's possible that another (contract) member of IT (who knowledge is quite far reaching in the sense of server admin and that sort of thing) either saw me type my pswd and rememb
ered it or has some other way got a hold of it, as I don't write it down. I don't know how much access he has and if he could do it in an untraceable way, what rights would he need on an XP system, with 2000 servers, running AD? I imagine only security h
ave access to the security logs, he's only part of the move from one site to another I can't see why he'd need access to those. So even with server admin rights, justice should prevail!

5 Laptops have conveniently got 'crushed' (fairly easy to crush a few and make sure a couple get kept, n'cest pas?) accidently and some Samsung X10s have also gone 'missing'. Suspicion thus far bandied around in among (perm/long term) IT staff is around h
im...

I did C++ and visual basic, but to be honest I'm just a lowly PFY i.e user admin type person and I'm not as familiar with the security stuff, thanks for your swift response.

>All of the things you mention are worth looking into. About the only thing that would definitively exonerate you would be a >combination of (a) a determination of what machine was used to commit the offending acts at what time with (b) some
>physical security information (for example, logs of an id device used to sign into and out of the building) showing that you >could not have been sitting at that machine at that time. As far as manipulating security logs in an "untraceable" way --
>anything is possible with the right access and knowledge.

>In any case, "if someone knows your user admin password" that in itself might be justification for suspending you. It all >depends on the level of security desired/required.

Thanks never been in this situation, if I needed IT advice I'd always just ask my colleagues around me!

Annita wrote:
> Thanks for your help, the CCTV outside the building might be useful. I think it's possible that another (contract) member of IT (who knowledge is quite far reaching in the sense of server admin and that sort of thing) either saw me type my pswd and reme
mbered it or has some other way got a hold of it, as I don't write it down. I don't know how much access he has and if he could do it in an untraceable way, what rights would he need on an XP system, with 2000 servers, running AD? I imagine only security
have access to the security logs, he's only part of the move from one site to another I can't see why he'd need access to those. So even with server admin rights, justice should prevail!
>
> 5 Laptops have conveniently got 'crushed' (fairly easy to crush a few and make sure a couple get kept, n'cest pas?) accidently and some Samsung X10s have also gone 'missing'. Suspicion thus far bandied around in among (perm/long term) IT staff is around
him...
>
> I did C++ and visual basic, but to be honest I'm just a lowly PFY i.e user admin type person and I'm not as familiar with the security stuff, thanks for your swift response.
>
>
>>All of the things you mention are worth looking into. About the only thing that would definitively exonerate you would be a >combination of (a) a determination of what machine was used to commit the offending acts at what time with (b) some
>>physical security information (for example, logs of an id device used to sign into and out of the building) showing that you >could not have been sitting at that machine at that time. As far as manipulating security logs in an "untraceable" way --
>>anything is possible with the right access and knowledge.
>
>
>>In any case, "if someone knows your user admin password" that in itself might be justification for suspending you. It all >depends on the level of security desired/required.

If you really think that you are being set up, you ought to get local
professional advice. Start with an employment lawyer and have him/her
hire a security expert. It won't be inexpensive. You should at least
speak to a lawyer before you go in on Friday.