locked
Which part of system changed? RRS feed

  • Question

  • Hello.

    If a hacker hack my Windows server and change some settings then how can I find them? For example, A hacker hack my Windows username and password and logging to my system and modify a service but how can I understand it.

    Thank you.

    Wednesday, September 21, 2016 5:48 AM

Answers

  • Hi,

    Thanks for your post.

    Maybe you could consider using audit policy settings. Please see the below information:

    The 53 security audit policy settings under Security Settings\Advanced Audit Policy Configuration can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:

    • A group administrator has modified settings or data on servers that contain finance information.
    • An employee within a defined group has accessed an important file.
    • The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.

    Advanced Security Audit Policy Settings

    https://technet.microsoft.com/en-us/library/dn319056

    Audit Policy

    https://technet.microsoft.com/en-us/library/cc766468(v=ws.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Monday, September 26, 2016 3:01 AM
    • Marked as answer by Alvwan Thursday, October 6, 2016 2:39 AM
    Thursday, September 22, 2016 7:39 AM

All replies

  • Hi,

    Thanks for your post.

    Maybe you could consider using audit policy settings. Please see the below information:

    The 53 security audit policy settings under Security Settings\Advanced Audit Policy Configuration can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:

    • A group administrator has modified settings or data on servers that contain finance information.
    • An employee within a defined group has accessed an important file.
    • The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.

    Advanced Security Audit Policy Settings

    https://technet.microsoft.com/en-us/library/dn319056

    Audit Policy

    https://technet.microsoft.com/en-us/library/cc766468(v=ws.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Monday, September 26, 2016 3:01 AM
    • Marked as answer by Alvwan Thursday, October 6, 2016 2:39 AM
    Thursday, September 22, 2016 7:39 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 26, 2016 3:01 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thank you but can I use a Third party and give me more info and it easiest way?

    For example, A hacker hacked your system and add his/her IP address in remote desktop but you can't understand it unless you check all services.

    Monday, September 26, 2016 10:54 AM
  • Hi,

    I think there must be some third-party software which can meet your requirement, but please understand that we are not familiar with these software so cannot give you recommendations.

    Thanks for your understanding.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 27, 2016 1:54 AM