>> One thing to keep in mind is that it is often to ensure that intruders can't do anything on a system rather than try to prevent them from intruding in the first place. A good security policy is to ensure that intruders can't do anything on a system AND try to prevent them from intruding in the first place. >> If you break into a safe, and there is nothing there....you leave. Actually, I put a "second combination" on the safe so I can re-open it when something of interest is placed into it. Or if the safe is not being used, then I use it myself. A recent study from DoD confirmed several industry analyst reports regarding intrusion detection. DoD indicated that in an intrusion attempt scan that only 2% of the total systems hacked were vulnerable to exposure, on a particular sensitive network. However, unauthorized access on that 2% allowed DoD intrusion analysts gain access to over 90% of the rest of the systems on the network (sniffing, trusted relationships, etc). Detecting and responding to intrustion access attempts is extremely important, but so is detecting and responding to sucessfull intrusions. (How to answer the question; how do I detect a user who has gain unauthorized access to a system in an authorized manner?) =============================================================== Dale Drew MCI Telecommunications Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrew@mci.net Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335