I have a network with a domain controller and active directory users in one location
Also in other location i have different domain controller and active directory users, There are separate domains
My problem is that i have a person who manages to connect from one location to another
Each location that has domain controller and active directory has a firewall.....it's about fortigate machine.
This person has only user account in active directory. Local accounts of his computer are disable.
On his computer the IP adress is static.Both server and workstations are up to date.
He succeeds using the Internet to connect to other network, using administrator privileges.
This person makes changes on other computers both locations....normal changes that are made only by the network administrator.
I think it's a virus / trojan undetectable.I would like to know how can I scan servers, services from viruses / trojan undetectable and tracing how this persoon connect. From what I knew so far the user succeed to intervene over the user's session from a different computer without the user's knowledge or realizing and make any changes he wish
.I check the logo failures and I have many attempts to acces administrator account. Location where i fiind it is every computer that i log on as administrator account and primary/ secondary domain controller.
I have a software that i manage my events ....ad audit plus...In my reports says that evet type is failure and failure reason is bad password.. That problem is that at logon time, for example, at this hour 12:33:25, the administrator account is accesed for 44 times....
I think that a sort of trojan horse try to acces my administrator accout to steal my password....
My problem is how i detect this trojan hourse......and how i delete it for permanent. Where I might look for more information ? What shall i do next ?
Any suggestion / feedback / opinion is appreciated...thank you
Edited by hamluis, 12 April 2016 - 12:32 PM.
Moved from MRL to Gen Security - Hamluis.