RE: TR : event viewer log How to get more information

["Robinson, Sonja" <SRobinson () HIPUSA com>]

You say no one has access.  What is preventing them from accessing the
machine? It's a little dfficult to help with the information you provided.
It is quite possible that your drive is shared which is allowing access
among other things.  From this log it is telling you that the users did log
on and from what workstations.  These log ins can be done with scripts,
batch files, directly...as long as someone has the correct userid and
password and the machine allows the access (or of course if there is a
trojan/backdoor).  It is probably configured to allow access.  Go to Center
For Internet Security web site to obtain their program and inf files to help
you lock down your O/S.  There are of course other tools but this is a good
place to start and it's free.  

There are lots of tools to log information but WHAT information you want to
log needs to be defined so we can help you out some more.  Tripwire could
have been useful for initial baselining to see what changes were made (if
any) but it normally isn't installed on workstations, mostly servers.  Your
security event logs are pretty good.  Try looking at the Security Event logs
on the offending machines.  Do you have users and machines with those ID's?
Do you have Firewalls set up?  What kind?  Were the offending users
currently on the network at the time or did someone steal their accounts
info?  A forensic exam would help but of course, are you trying to stop
future access or was their confidential info that could have been
compromised?  


Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office:  212-806-4125
Pager: 8884238615



-----Original Message-----
From: "Héroux, Christian" [mailto:Christian.Heroux () etsmtl ca] 
Sent: Friday, April 04, 2003 12:15 PM
To: security-basics () securityfocus com
Subject: TR : event viewer log How to get more information


Hello all !
        I hope you can help me ! There are many event log like these one on
a user workstation windows XP. Someone logged into his station? Right? How
can I get more info to troubleshoot? Nobody is allowed in this user station.
We don`t have much info to find out what wrong. Is it a process, which
PC...Do you have any tool that could log  more detail.

Christian H.


Event Type:       Success Audit
Event Source:    Security
Event Category: Logon/Logoff 
Event ID:           540
Date:                2003-04-02
Time:                10:19:02
User:                XXX\ffournXXX
Computer:         BISMARCK
Description:
Successful Network Logon:
            User Name:       ffournXXX
            Domain:                        XXX
            Logon ID:                      (0x0,0x1BA8FD3)
            Logon Type:      3
            Logon Process: NtLmSsp 
            Authentication Package: NTLM
            Workstation Name:        GPA_024824
            Logon GUID:      {00000000-0000-0000-0000-000000000000}
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
 
 
 
Event Type:       Success Audit
Event Source:    Security
Event Category: Logon/Logoff 
Event ID:           540
Date:                2003-04-03
Time:                09:40:15
User:                XXX\rmaraXXXX
Computer:         BISMARCK
Description:
Successful Network Logon:
            User Name:       rmaranXXX
            Domain:                        XXX
            Logon ID:                      (0x0,0x586DD0)
            Logon Type:      3
            Logon Process: NtLmSsp 
            Authentication Package: NTLM
            Workstation Name:        GPA_026195
            Logon GUID:      {00000000-0000-0000-0000-000000000000}
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
 
 
Event Type:       Failure Audit
Event Source:    Security
Event Category: Logon/Logoff 
Event ID:           529
Date:                2003-04-04
Time:                02:33:06
User:                NT AUTHORITY\SYSTEM
Computer:         BISMARCK
Description:
Logon Failure:
            Reason:                        Unknown user name or bad password
            User Name:       Administrator
            Domain:                        PERF-1
            Logon Type:      3
            Logon Process: NtLmSsp 
            Authentication Package: NWV1_0
            Workstation Name:        PERF-1
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics


**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or 
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have 
received this communication in error, please notify the sender of the error immediately, do not read or use the 
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via 
email. 




**********************************************************************


<b>
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------
</b>