Security Basics mailing list archives
RE: TR : event viewer log How to get more information
From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Mon, 7 Apr 2003 11:54:57 -0400
You say no one has access. What is preventing them from accessing the machine? It's a little dfficult to help with the information you provided. It is quite possible that your drive is shared which is allowing access among other things. From this log it is telling you that the users did log on and from what workstations. These log ins can be done with scripts, batch files, directly...as long as someone has the correct userid and password and the machine allows the access (or of course if there is a trojan/backdoor). It is probably configured to allow access. Go to Center For Internet Security web site to obtain their program and inf files to help you lock down your O/S. There are of course other tools but this is a good place to start and it's free. There are lots of tools to log information but WHAT information you want to log needs to be defined so we can help you out some more. Tripwire could have been useful for initial baselining to see what changes were made (if any) but it normally isn't installed on workstations, mostly servers. Your security event logs are pretty good. Try looking at the Security Event logs on the offending machines. Do you have users and machines with those ID's? Do you have Firewalls set up? What kind? Were the offending users currently on the network at the time or did someone steal their accounts info? A forensic exam would help but of course, are you trying to stop future access or was their confidential info that could have been compromised? Sonja Robinson, CISA Network Security Analyst HIP Health Plans Office: 212-806-4125 Pager: 8884238615 -----Original Message----- From: "Héroux, Christian" [mailto:Christian.Heroux () etsmtl ca] Sent: Friday, April 04, 2003 12:15 PM To: security-basics () securityfocus com Subject: TR : event viewer log How to get more information Hello all ! I hope you can help me ! There are many event log like these one on a user workstation windows XP. Someone logged into his station? Right? How can I get more info to troubleshoot? Nobody is allowed in this user station. We don`t have much info to find out what wrong. Is it a process, which PC...Do you have any tool that could log more detail. Christian H. Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 2003-04-02 Time: 10:19:02 User: XXX\ffournXXX Computer: BISMARCK Description: Successful Network Logon: User Name: ffournXXX Domain: XXX Logon ID: (0x0,0x1BA8FD3) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: GPA_024824 Logon GUID: {00000000-0000-0000-0000-000000000000} For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 2003-04-03 Time: 09:40:15 User: XXX\rmaraXXXX Computer: BISMARCK Description: Successful Network Logon: User Name: rmaranXXX Domain: XXX Logon ID: (0x0,0x586DD0) Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: GPA_026195 Logon GUID: {00000000-0000-0000-0000-000000000000} For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 2003-04-04 Time: 02:33:06 User: NT AUTHORITY\SYSTEM Computer: BISMARCK Description: Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: PERF-1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NWV1_0 Workstation Name: PERF-1 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. ------------------------------------------------------------------- SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** <b> ------------------------------------------------------------------- Is SPAM over-loading your e-mail server, disk space or bandwidth? SurfControl E-Mail Filter is flexible, intelligent and policy-driven protection. http://www.securityfocus.com/SurfControl-security-basics2 Download your free fully functional trial, complete with 30-days of free technical support. Stop SPAM before it stops you. ------------------------------------------------------------------- </b>
Current thread:
- TR : event viewer log How to get more information Héroux, Christian (Apr 07)
- RE: TR : event viewer log How to get more information John Warnas/HintTech B.V. (Apr 08)
- <Possible follow-ups>
- RE: TR : event viewer log How to get more information Maksoudian, Gary (Apr 07)
- RE: TR : event viewer log How to get more information Robinson, Sonja (Apr 07)
- RE: TR : event viewer log How to get more information Trevor Cushen (Apr 07)
- RE: TR : event viewer log How to get more information dave (Apr 08)
- RE: TR : event viewer log How to get more information DS (Apr 10)
- RE: TR : event viewer log How to get more information Rick Darsey (Apr 10)
- RE: TR : event viewer log How to get more information dave (Apr 08)
- Re: TR : event viewer log How to get more information H Carvey (Apr 07)