Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

HIDS 2.5.3 Event on w2k server

I have received the following event on a w2k server running exchange 5.5 but cannot find anything on the process that explains (if it could be a false positive or not). Can anyone tell me if they have seen this or where to go to look? Baiscally, should I be worried or is this normal?

This event indicates that a subkey of HKEY_LOCAL_MACHINE\Software\Microsoft\ has been deleted. This can cause a system to become impossible to configure or run. This can be a legal operation. An example of a false positive would be uninstalling Microsoft software from the system.

This event indicates that permissions for the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg were modified. This key is associated with the Named Pipe used for Registry access, and the permissions defined for it determine which users, groups and services have access to the Registry over the network. An improper configuration of the permissions for this key can therefore render the system vulnerable to remote Registry access and modifications. In a secure environment, only Administrators and the System should have Full Control rights

This event indicates that the permissions for one of the EventLog registry keys were modified.

The EventLog registry keys are located under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog. The keys Application, Security, and System contain Application, Security, and System Event Logs settings and are found on every Windows machine. Other keys present are those for the Directory Service Log, the DNS Service Log, and other services.

A change in permission may result in modifications to these keys by an unprivileged user.

This event indicates that permissions for the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg were modified. This key is associated with the Named Pipe used for Registry access, and the permissions defined for it determine which users, groups and services have access to the Registry over the network. An improper configuration of the permissions for this key can therefore render the system vulnerable to remote Registry access and modifications. In a secure environment, only Administrators and the System should have Full Control rights.

This event indicates that the permissions for one of the EventLog registry keys were modified.

The EventLog registry keys are located under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog. The keys Application, Security, and System contain Application, Security, and System Event Logs settings and are found on every Windows machine. Other keys present are those for the Directory Service Log, the DNS Service Log, and other services.

A change in permission may result in modifications to these keys by an unprivileged user.

These all happened within an hour. Is this a normal event?

1 REPLY
New Member

Re: HIDS 2.5.3 Event on w2k server

Forgot to mention: the process was mad.exe

80
Views
0
Helpful
1
Replies