Using Sophos Enterprise to monitor End point user account

Hello silentjess,

Sophos does not monitor or control account creation/modification or Windows configuration in general.

Many configuration options are limited to administrators anyway and you can further restrict them with security policies. Account related events are recorded in the Security Event log. Of course, local administrators being what they are can, in a non-domain environment, override settings you've made and thus for example disable auditing.

What's the problem with local admins creating additional accounts? In what way is this right "abused"?

Christian   

Hi QC, thank you for replying to my query again!

Actually i was asked about Sophos being able to prevent unauthorized creation of local user accounts on the local machines. Besides protecting the system from adwares, virus, web access to certain sites...maybe it was able to protect the system itself.

Recently we found many odd named local user accounts created on some workstations and servers. Although the firewall and security is able to prevent unauthorized access, the security team diagnosed that it was internet applications. it seems there are apps that my users download and when executed, the programs create user accounts on the workstation, allowing unauthorized access even though my end users have no admin rights and are prevented from installing applications.

I did google sophos and wondered if users like you whom are experience have a workaround for that.

Thanks again QC!

Hello silentjess,

I see, it's clearer now what you want.

To a certain extent Sophos does protect the system, that's what Behavior Monitoring (HIPS and if applicable BOPS) is for.

many odd named local user accounts created on some workstations and servers ... seems there are apps [...] when executed

Servers as well? That'd be very serious. Anyway, if apps running in a user's context are able to create accounts then they'd have to exploit some vulnerability for an EOP (elevation of privilege). Account creation might be just one of several malicious actions performed by the rogue program.

Although the firewall and security is able to prevent unauthorized access

Have attempts to access the machines with these accounts actually been observed and what's more has it been found that they have been prevented? One purpose of an added account is to have access to a computer in an otherwise unsuspicious way.

You're should not be looking for a workaround to prevent account creation, rather you have to assess what kind of threat you are facing, SMaRT can be of help here. 

Christian 

Hi Christian,

Thanks for your update again.

Yes, the HIPS and behavior monitoring are enabled for both workstations and servers.

I do agree that my network guy may not have done any penetration tests to test if the network is secured enough.

I would subtly inform him.

Thanks again!!

Hello silentjess,

there are other, less conspicuous, ways to "ensure" remote access to a computer than creating a local account - especially when you have been able to elevate your privileges. It's not clear what their actual purpose could be.

You can check if and when the accounts have been logged on with net user accountname (there's unfortunately no interface provided to obtain their creation date). It would also be strange if users on several workstations and servers as well would have encountered the same malware. More likely (though equally strange) would be that only one computer downloaded some malware which then reached out (from "inside") to the other computers (still there's no explanation for the accounts created). 

Is there any suspicious activity? Have the accounts been used, are new ones created if you delete them? Is there an unusually high number of detections (you'd have to run a report, SEC displays only outstanding alerts and not those which have been dealt with)?

Christian