tag:blogger.com,1999:blog-9518042.post110330768655763238..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Am I wrong on this?Unknownnoreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9518042.post-89266962492035752011-01-20T04:54:06.244-05:002011-01-20T04:54:06.244-05:00I realize this is an old post, but this is a topic...I realize this is an old post, but this is a topic I feel is still really relevant today. System Administration is something that usually comes along with preconceived notions by most... IT / Security elites. Do you review logs, lock down your servers, have activity baselines, etc.<br />While all of these tasks are important and should be standard.... I’ve been in the field for some time, and have found that to be rare for these things to occur. Unfortunately most Admins I have come across excel in running just the systems they work with, in small to medium size companies, the list of hardware isn’t very varied, or if it is varied, its because the equipment is 5 years old and cheap. The Admin might not know that IIS logs are not in the event viewer, but does know the printer on the executive floor backwards and forwards.<br />What I am getting at, is I have always seen the trend for most System Admins to be good at keeping things running, and the burden of forensics (even simple steps) has been left to the security department, or a contractor/professional. This is something I have struggled with in my career, as its hard to find a company that will pay you for being security minded, instead of a "Yes" man / just keep it up and running. For example not too long ago, a company server had been compromised (non production website defacement) and I was told to stop analyzing the root cause because the receptionist outlook is crashing. While Im not trying to down play an end users impairment, the security concern isn’t there in most places UNTIL it affects the bottom line. <br />Its a real shame too, because when a system/device/server is compromised, its usually the admin that takes the heat.<br />For the reasons mentioned (sorry for the book of a post) its always refreshing to me when I see security guides posted for administrators, who for instance might not be familiar with analyzing malware with a hex editor, or able to understand creating customized IDS signatures.Joehttps://www.blogger.com/profile/04695953893662418677noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1103441005151996192004-12-19T02:23:00.000-05:002004-12-19T02:23:00.000-05:00Nope, you're not wrong at all. Frustrates me as we...Nope, you're not wrong at all. Frustrates me as well to see blatant disregard for the quest of knowledge. =)Anonymoushttps://www.blogger.com/profile/13441809988487585009noreply@blogger.com