RE: TR : event viewer log How to get more information

From: Trevor Cushen (Trevor.Cushen@sysnet.ie)
Date: 04/07/03

Next message: H Carvey: "Re: TR : event viewer log How to get more information"

Previous message: Maksoudian, Gary: "RE: TR : event viewer log How to get more information"
Maybe in reply to: QH=E9roux=2C_Christian=22?=: "TR : event viewer log How to get more information"
Next in thread: dave: "RE: TR : event viewer log How to get more information"
Reply: dave: "RE: TR : event viewer log How to get more information"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 7 Apr 2003 17:09:23 +0100
From: "Trevor Cushen" <Trevor.Cushen@sysnet.ie>
To: <security-basics@securityfocus.com>

Logon Type 3 is network logon
http://is-it-true.org/nt/atips/atips57.shtml
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/reskit/prnf_msg_pfjj.asp

You have both machine names as in the machine they logged on to and the one they logged on from. Check both for anything suspicious. Put a personal firewall on for protection or leave the firewall logging only for details. It's not a process on the target machine anyway. Run an IDS system maybe. Harden the machine to block network logons. Do the other machines belong on your network?. You already have beyond default auditing turned on. What exactly are you looking for?

-----Original Message-----
From: "Héroux, Christian" [mailto:Christian.Heroux@etsmtl.ca]
Sent: 04 April 2003 18:15
To: security-basics@securityfocus.com
Subject: TR : event viewer log How to get more information

Hello all !
I hope you can help me ! There are many event log like these one on a user workstation windows XP. Someone logged into his station? Right? How can I get more info to troubleshoot? Nobody is allowed in this user station. We don`t have much info to find out what wrong. Is it a process, which PC...Do you have any tool that could log more detail.

Christian H.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2003-04-02
Time: 10:19:02
User: XXX\ffournXXX
Computer: BISMARCK
Description:
Successful Network Logon:
            User Name: ffournXXX
            Domain: XXX
            Logon ID: (0x0,0x1BA8FD3)
            Logon Type: 3
            Logon Process: NtLmSsp
            Authentication Package: NTLM
            Workstation Name: GPA_024824
            Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2003-04-03
Time: 09:40:15
User: XXX\rmaraXXXX
Computer: BISMARCK
Description:
Successful Network Logon:
            User Name: rmaranXXX
            Domain: XXX
            Logon ID: (0x0,0x586DD0)
            Logon Type: 3
            Logon Process: NtLmSsp
            Authentication Package: NTLM
            Workstation Name: GPA_026195
            Logon GUID: {00000000-0000-0000-0000-000000000000}

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2003-04-04
Time: 02:33:06
User: NT AUTHORITY\SYSTEM
Computer: BISMARCK
Description:
Logon Failure:
            Reason: Unknown user name or bad password
            User Name: Administrator
            Domain: PERF-1
            Logon Type: 3
            Logon Process: NtLmSsp
            Authentication Package: NWV1_0
            Workstation Name: PERF-1

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-security-basics

******************************************************************************

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster@sysnet.ie

******************************************************************************

<b>
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------
</b>

Next message: H Carvey: "Re: TR : event viewer log How to get more information"

Previous message: Maksoudian, Gary: "RE: TR : event viewer log How to get more information"
Maybe in reply to: QH=E9roux=2C_Christian=22?=: "TR : event viewer log How to get more information"
Next in thread: dave: "RE: TR : event viewer log How to get more information"
Reply: dave: "RE: TR : event viewer log How to get more information"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]