Re: audit user logon activity

From: H Carvey (keydet89_at_yahoo.com)
Date: 10/07/04

  • Next message: Jose James: "RE: audit user logon activity"
    Date: 7 Oct 2004 16:50:51 -0000
    To: security-basics@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <20041006191105.63203.qmail@web50505.mail.yahoo.com>

    >I tried to find out how to find whether a user logs to
    >multiple computers on the network. From MS security
    >log, I can notfind anything I want to. Is there any
    >windows freeutility which allows to audit a user's log
    >onactivity?
    >(BTW, we are in windows 2000 environment).

    To be quite honest, I'm a little unclear as to why you're having trouble with this. If the systems have their audit policy configured to record successful and failed login attempts, you should be seeing the user's logins.

    Something to consider beyond the audit configuration...what credentials (ie, username and password combination) are you looking for?

    Another option you might consider (beyond or in addition to reviewing the Security Event Log from each system) is querying each system (or just specific systems) for sessions, a la "net session". One way to do this is to use psloggedon.exe from SysInternals...feed a list of machine names to the tool and the parse the output. Another means is to use WMI, either via VBScript or Perl (my personal favorite).

    Something else to consider is that the user, if they are logging into the systems, isn't doing so in the traditional MS sense, but using some sort of backdoor access.

    Of course, it could very well be the case that the user is not, in fact, logging on to multiple systems.

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://groups.yahoo.com/group/windowsir/

    "Meddle not in the affairs of dragons, for
    you are crunchy, and good with ketchup."

    "The simplicity of this game amuses me.
    Bring me your finest meats and cheeses."
    ------------------------------------------


  • Next message: Jose James: "RE: audit user logon activity"