Hello, All...
I have some questions with regard to security in windows 2000 (in general... any windows 2000 machine). =) I would really appreciate some insight from anyone who knows network security better than myself. I know I am asking a lot of questions, and it may seem lazy, but I promise that if I find the answer myself later, I will answer myself!
So, here we go...
Are any of the following definately a security risk or definite evidence of an intrusion?
1) If the access permission to the "c:\Documents and Settings\Administrator\My Documents" folder is set to only allow access to the administrator of the machine (not to be confused with administratorS plural), is there any circumstance where this can be reset to the default (several users allowed access, including "everyone") by anyone other than the administrator of the machine?
2) A directory exists, c:\documents and settings\[computer name here] and was not explicitly created by any user of the machine. I think this might have something to do with ASP net?
3) In the directory, C:\Documents and Settings\Administrator\Local Settings\, there is a directory called "History" which contains objects (not folders) named "3 weeks ago", "2 weeks ago", "last week", "Monday", "Tuesday", etc... and these objects contain urls visited and file access under a subfolder named "My Documents". All users other than administrator do not have this in their directories. They only contains another subfolder: ...\History\History.IE5.
4) The followings (unconnected at this moment) connections are present:
(PROCESS,PROTOCOL,LOCAL,REMOTE,STATUS)
explorer.exe:1508 UDP usa-fnn4uo0bkye:1808 *:*
LSASS.EXE:248 UDP usa-fnn4uo0bkyf:isakmp *:*
LSASS.EXE:248 UDP usa-fnn4uo0bkyf:4500 *:*
mstask.exe:780 TCP usa-fnn4uo0bkyf:1025 usa-fnn4uo0bkyf:0 LISTENING
svchost.exe:420 TCP usa-fnn4uo0bkyf:epmap usa-fnn4uo0bkyf:0 LISTENING
System:8 TCP usa-fnn4uo0bkye:microsoft-ds usa-fnn4uo0bkyf:0
LISTENING
System:8 TCP usa-fnn4uo0bkyf:netbios-ssn usa-fnn4uo0bkyf:0 LISTENING
System:8 UDP usa-fnn4uo0bkyf:microsoft-ds *:*
System:8 UDP usa-fnn4uo0bkyf:netbios-ns *:*
System:8 UDP usa-fnn4uo0bkyf:netbios-dgm *:*
5) Yahoo Messenger fails to sign on despite internet connectivity in every other respect, and in add/remove programs, there are two entries, "Yahoo Messenger" and "Get Yahoo Messenger." The applications are of similar size but not identical. The uninstall of "Get Yahoo Messenger" is relatively quick compared to "Yahoo Messenger."
General questions:
A) In the properties for any event log (app, security, system), you can set max file size, and also set the expiration length... the default is 512k, and 7 days long. Why would the event logs span more that 7 days? Does the filesize take precedence?
B) If file and printer sharing is disabled in TCP/IP properties, does that mean that it is impossible to remotely access file shares whether or not folders are "shared."?
C) Is there any intrusion technique/transmission that could go undetected by a legit version of TCPview by Sysinternals?
D) Is there such a thing as a root kit that can be implemented from a website? or does it have to be a fake windows 2000 CDROM?
Thanks.
