CNS Navigation Bar

Windows Incident Response

Back to UTORProtect Page


This is Part 1 of this page. It's the introduction to guidelines for responding to a compromised Windows 2000 system. The guidelines will follow in the near future. The contents of this page may change as the guidelines section is being developed. If you have any comments, please forward them to


Overview & Audience

Ideally you are reading this document because you would like to protect your Windows servers from attack. The section of the document called Proactive Measures is for you. Before skipping to Proactive Measures a quick reading of section 2 will provide you with some insight on the difficulties that you can face responding to a hacked system.

On the other hand you, if are trying to deal with an active incident the next section titled Reactive Measures is a good place to get oriented if you do not have a lot of experience in this area.

This document is not a comprehensive presentation on the problem area. It attempts to provide basic guidelines and directs the reader to other material for in depth study. The scope of the document is limited to Windows 2000 servers and Microsoft's Internet Information Server (IIS).

I need help with a system that is hacked

When system is hacked number of concerns immediately come to mind:

  • How do I prevent further damage?
  • How do I restore normal operations?
  • How do I assess the damage that has been done?
  • How do I minimize the possibility that the system being hacked in the future?

In order to answer these questions it is necessary to have a good technical understanding of the operating system, the applications running on the server, the integrity requirements of the data and the nature of the business. In this document, we are assuming that you have a good technical background in Windows system administration. If you don't and your system is hacked our best recommendation is to engage someone that does have the experience.

I want to make my systems more secure

Strengthening the security of a windows system requires us to work along several lines of attack.

  1. Developing and testing an effective disaster recovery plan (More Information).
  2. Establishing a set of procedures that routinely and frequently ensures that all the relevant patches and upgrades to the operating system and applications software are tested and installed.
  3. The operating system need to be enhanced with intrusion detection software.
  4. Best practices with respect to account and password management (More Information) need to be followed.

CNS security services

Security is an important concern for CNS. In this section we identify the various initiatives that we undertake to secure the University systems.

I am interested in how other administrators have responded to system hacks

Experience is the best teacher. Ideally we would like to learn from other people's experience. This section consists of incident reports prepared by various system administrators on campus.


All contents copyright University of Toronto 2000-2003
This Site is maintained by the Computer Security Administration Group
Comments & Questions