Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 19272 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using Sophos Enterprise to monitor End point user account

silentjess

Hi All,

I was asked about the possibility of Sophos to manage/monitor the End point local account creation.

For example, a staff creates a local user on PC1 and sophos is able to track that such an action was done OR to prompt that this user account creation request has been blocked or disallowed.

Sophos will create a local account called SophosSAUComputerName during installation on end point but would sophos also be aware of other local accounts being created?

Is it even possible?

I've tried to google similar when i was asked about this but i don't think this is part of Sophos functionality?

Could anyone verify?

Appreciate it!

:56023


This thread was automatically locked due to age.
Parents
  • 0

    Hello silentjess,

    I see, it's clearer now what you want.

    To a certain extent Sophos does protect the system, that's what Behavior Monitoring (HIPS and if applicable BOPS) is for.

    many odd named local user accounts created on some workstations and servers ... seems there are apps [...] when executed

    Servers as well? That'd be very serious. Anyway, if apps running in a user's context are able to create accounts then they'd have to exploit some vulnerability for an EOP (elevation of privilege). Account creation might be just one of several malicious actions performed by the rogue program.

    Although the firewall and security is able to prevent unauthorized access

    Have attempts to access the machines with these accounts actually been observed and what's more has it been found that they have been prevented? One purpose of an added account is to have access to a computer in an otherwise unsuspicious way.

    You're should not be looking for a workaround to prevent account creation, rather you have to assess what kind of threat you are facing, SMaRT can be of help here. 

    Christian 

    :56065
Reply
  • 0

    Hello silentjess,

    I see, it's clearer now what you want.

    To a certain extent Sophos does protect the system, that's what Behavior Monitoring (HIPS and if applicable BOPS) is for.

    many odd named local user accounts created on some workstations and servers ... seems there are apps [...] when executed

    Servers as well? That'd be very serious. Anyway, if apps running in a user's context are able to create accounts then they'd have to exploit some vulnerability for an EOP (elevation of privilege). Account creation might be just one of several malicious actions performed by the rogue program.

    Although the firewall and security is able to prevent unauthorized access

    Have attempts to access the machines with these accounts actually been observed and what's more has it been found that they have been prevented? One purpose of an added account is to have access to a computer in an otherwise unsuspicious way.

    You're should not be looking for a workaround to prevent account creation, rather you have to assess what kind of threat you are facing, SMaRT can be of help here. 

    Christian 

    :56065
Children
No Data