Re: audit user logon activity

From: H Carvey (keydet89_at_yahoo.com)
Date: 10/07/04

  • Next message: Jose James: "RE: audit user logon activity" 
    Date: 7 Oct 2004 16:50:51 -0000
To: security-basics@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20041006191105.63203.qmail@web50505.mail.yahoo.com>

    >I tried to find out how to find whether a user logs to
    >multiple computers on the network. From MS security
    >log, I can notfind anything I want to. Is there any
    >windows freeutility which allows to audit a user's log
    >onactivity?
    >(BTW, we are in windows 2000 environment).

    To be quite honest, I'm a little unclear as to why you're having trouble with this. If the systems have their audit policy configured to record successful and failed login attempts, you should be seeing the user's logins.

    Something to consider beyond the audit configuration...what credentials (ie, username and password combination) are you looking for?

    Another option you might consider (beyond or in addition to reviewing the Security Event Log from each system) is querying each system (or just specific systems) for sessions, a la "net session". One way to do this is to use psloggedon.exe from SysInternals...feed a list of machine names to the tool and the parse the output. Another means is to use WMI, either via VBScript or Perl (my personal favorite).

    Something else to consider is that the user, if they are logging into the systems, isn't doing so in the traditional MS sense, but using some sort of backdoor access.

    Of course, it could very well be the case that the user is not, in fact, logging on to multiple systems.

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://groups.yahoo.com/group/windowsir/

    "Meddle not in the affairs of dragons, for
    you are crunchy, and good with ketchup."

    "The simplicity of this game amuses me.
    Bring me your finest meats and cheeses."
    ------------------------------------------

  • Next message: Jose James: "RE: audit user logon activity"

    Relevant Pages

    • Re: colon in item id to DOS directory
      ... Windows is simply rejecting the file update. ... Deleting an item with a colon in the id of a DOS directory leaves the 0 ... Say AUDIT is a super-Q pointer to a DOS directory. ... :LIST AUDIT ...
      (comp.databases.pick)
    • RE: Tracking File Modifications by User?
      ... Based on the information you provided, it should be a windows 2000 issue. ... you can enable Audit log in Event log to do so. ... locate the file or folder you want to audit. ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)
    • Re: Last to Modify
      ... The audit log question is moot though unless you have AD changes being logged ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>To track changes within Active Directory you have to enable auditing. ... >>to track user activities and system-wide events in Active Directory. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Checking - will this Windows audit-tool be useful?
      ... Checking - will this Windows audit-tool be useful? ... I'm working on a Windows audit tool. ... Download FREE whitepaper on how a managed service can ... Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. ...
      (Pen-Test)
    • Re: Un-doing changes
      ... I "store" all product settings in a database. ... an "audit trail"). ... Windows is notorious for not documenting their Registry ...
      (comp.arch.embedded)