So, in the “new and upcoming news” category, StealthINTERCEPT is due out shortly here at STEALTHbits. With a name like that, we’re not suprisingly referring to it as SI internally right now. And since I’m sitting up here in Canada going through some webpage design for the roll-out, I think of it as CSI. And then I get to thinking – CSI – well, it may not be bones and blood tests, but it’s sure useful for Corporate System Investigation. Some poor OU goes missing? Get CSI on the case. Got a bad one, Tony – three critical users were just deleted. Better get CSI.
And from talking to a few of our friends/customers out there let me tell you – people need CSI. I heard from one guy how he discovered as part of an ad-hoc cleanup process that the permissions on the CEO’s mailboxes had “acquired” several different unwarranted security principals. After a quick panic lockdown, and the removal of all of the unwanted access, everything seemed fine – until the CEO couldn’t log on to his mailbox either. Then the stuff really hit the fan. Worst of all, they couldn’t find out who had made the unwanted changes in the first place. The only guy they had a name for was the guy who tried to clean it up. Guess who got in trouble? Bleah.
Another of our clients has a problem where OUs keep moving around. They think it’s caused by accidental drag-and-drops by admins using ADUC, but they don’t really know for sure. They’re looking for a tool to tell them who is making changes to their OU names. And what they’d really love is to be able to stop them *before* it happens. Moving OUs causes all kinds of messy ripple effects with DNs changing and applied GPOs getting mis-applied, they’d like to prevent all that before it hits.
So, look for [C]SI coming out soon from STEALTHbits. It may not be as sexy as Jorja Fox (what a name!), but it’s just as good for finding out the whodunnit and making sure those responsible pay for their (electronic) crimes. And it can do some prevention too – so unwanted changes to critical objects don’t happen in the first place. Pretty cool stuff.