Problem solve Get help with specific problems with your technologies, process and projects.

Hacking detection: Using a Windows server comparison to find a hack

Find out what tools are the most useful for hacking detection, and if there is a way to conduct a Windows server comparison to find a hack.

Is there any tool for running a Windows server comparison for processes, services etc. to aid in finding a hack?
There is no one intrusion detection tool that can discern if a system has been hacked. There are many different tools that can be used in the incident response process for determining if a system has been compromised, but most times, multiple tools are used to try to cover all of the known signs of compromise, like those found on incident response CDs like Helix or others.

Start the intrusion detection process by comparing running processes and services. There are times when a compromise is fairly simple and can be found by just such a comparison check. The Microsoft Windows Sysinternals tool can be used for listing out processes, services, handles and other types of volatile data useful for incident response. I am going to assume what you're talking about is a server and therefore you cannot do a forensic investigation on the hard drive or storage device. You can, though, dump the contents of memory for use in a forensics investigation using tools such as WinDD or Mdd, but you might want to first start with standard incident response tools. There are commercial forensic tools that will dump volatile data and allow you to take an image of the system remotely.

There are also some system management tools like Ecora Auditor or Microsoft System Center Configuration Manager used for configuration management or patching that can do many of these things and compare a potentially compromised server to a known good system to let you know the differences.

This was last published in May 2010

Dig Deeper on Microsoft Windows security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.