RE: Windows Log



Philippe,

Yes, a savvy user would be able to create problems with a script based method of recording user logons and logoffs.

Dave Kleiman, and others, made excellent suggestions for gleaning information from the security logs. These logs would be much more difficult for the savvy user to edit.

For "quick and dirty" recording of who logs in when, I wrote the below VB scripts. Yes, users "in the know" could modify the data, but I wouldn't rely on my script's information for forensics, I would rely on the suggestions made before, such as Dave's. I use my scripts as a cross reference for our web filter, which sometimes seems to not realize a different user has logged into a machine.

To preface, I created a hidden share (obscurity, I know...) and granted write access to the users. Then, I assigned the below scripts through AD during logon and logoff. If a user wants to run the script during the day, that's fine, AD will still run it for them when they logout. All I would record is a user doing something odd and then go to the security logs. If a user deletes entries, that's okay too, the server was backed up the night before, and I would once again be alerted to the need to scour the security logs.

Here are the logon and logoff scripts I use. You could easily modify them to write a file for each user instead of each machine by just changing the variable names.

LOGON

' This script writes user names and times to a file on a network share.
' The intended purpose for this script is to be run via GPO during user
' logon events. Each machine will write to a separate file named for
' the machine.
'
' The users will need to be able to write to a network share, and you
' will have to enter the share name and drive letter to use below.
'
' Place this script in your netlogon share and call it from "User
' Configuration\Windows Settings\Scripts\Logon".
'
' This script combines example scripts from the Windows 2000 Scripting Guide.
' Pieced together 01.20.05 by Scott Ramsdell [sramsdell <at> stinsonmoheck <dot> com]
'
' Every effort has been taken to ensure this script does no harm if used for the
' stated intended purpose. The author makes no assertion as to the fitness of this script
' and will assume no responsibility for its use.
'
' CAUTION: An administrator running this script will take precedence over another
' process that uses the same drive letter. For example, if you choose to use
' drive R: in this script, and another process on your machine is using drive
' R: then the original process will fail.
'
'
'

On ERROR RESUME NEXT

' Create an object for networking
Set objNetwork = Wscript.CreateObject("Wscript.Network")

' Create an object for the local file system
Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")

' Grab machine name and user name
machineName = objNetwork.ComputerName
userName = objNetwork.UserName

' ***** ADMIN INPUT REQUIRED BELOW! *****
' Map a drive.
' Choose a drive letter and enter your share name below.
objNetwork.MapNetworkDrive "R:" , ("\\servername\sharename")

' ***** ADMIN INPUT REQUIRED BELOW! *****
' Change drive letter as appropriate.
' Create a text file on the share, do not overwrite any existing file
objFSO.CreateTextFile("R:\" & MachineName & ".txt"), FALSE

' ***** ADMIN INPUT REQUIRED BELOW! *****
' Change drive letter as appropriate.
' Open file and write to it
Set objFile = objFSO.OpenTextFile("R:\" & MachineName & ".txt", 8)
objFile.WriteLine "Logon: " & userName & " " & Now()
objFile.Close

' ***** ADMIN INPUT REQUIRED BELOW! *****
' Change drive letter as appropriate.
' Remove drive
objNetwork.RemoveNetworkDrive "R:"

' Clean up
objnetwork = nothing
objfile = nothing
objFSO = nothing
userName = nothing
machineName = nothing


LOGOFF

' This script writes user names and times to a file on a network share.
' The intended purpose for this script is to be run via GPO during user
' logoff events. Each machine will write to a separate file named for
' the machine.
'
' The users will need to be able to write to a network share, and you
' will have to enter the share name and drive letter to use below.
'
' Place this script in your netlogon share and call it from "User
' Configuration\Windows Settings\Scripts\Logoff".
'
' This script combines example scripts from the Windows 2000 Scripting Guide.
' Pieced together 01.20.05 by Scott Ramsdell [sramsdell <at> stinsonmoheck <dot> com]
'
' Every effort has been taken to ensure this script does no harm if used for the
' stated intended purpose. The author makes no assertion as to the fitness of this script
' and will assume no responsibility for its use.
'
' CAUTION: An administrator running this script will take precedence over another
' process that uses the same drive letter. For example, if you choose to use
' drive R: in this script, and another process on your machine is using drive
' R: then the original process will fail.
'
'
'

On ERROR RESUME NEXT

' Create an object for networking
Set objNetwork = Wscript.CreateObject("Wscript.Network")

' Create an object for the local file system
Set objFSO = WScript.CreateObject("Scripting.FileSystemObject")

' Grab machine name and user name
machineName = objNetwork.ComputerName
userName = objNetwork.UserName

' ***** ADMIN INPUT REQUIRED BELOW! *****
' Map a drive.
' Choose a drive letter and enter your share name below.
objNetwork.MapNetworkDrive "R:" , ("\\servername\sharename")

' ***** ADMIN INPUT REQUIRED BELOW! *****
' Change drive letter as appropriate.
' Create a text file on the share, do not overwrite any existing file
objFSO.CreateTextFile("R:\" & MachineName & ".txt"), FALSE

' ***** ADMIN INPUT REQUIRED BELOW! *****
' Change drive letter as appropriate.
' Open file and write to it
Set objFile = objFSO.OpenTextFile("R:\" & MachineName & ".txt", 8)
objFile.WriteLine "Logoff: " & userName & " " & Now()
objFile.Close

' ***** ADMIN INPUT REQUIRED BELOW! *****
' Change drive letter as appropriate.
' Remove drive
objNetwork.RemoveNetworkDrive "R:"

' Clean up
objnetwork = nothing
objfile = nothing
objFSO = nothing
userName = nothing
machineName = nothing


Hope someone else finds them useful too,
Scott






-----Original Message-----
From: Philippe De Ryck [mailto:philippe.de.ryck@xxxxxxxxx]
Sent: Sunday, January 22, 2006 3:53 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Windows Log

I'm wondering about this too. I was thinking about a solution like this
one, but I have some thoughts:

If you run the script at login time, it is run with user permissions I
believe. So that would mean that you have a server that accepts data
from a user. Wouldn't it be possible for the user, if he figures it out,
to fake information. He could for instance fake the login or logoff by
just sending data to the server (or even running the script, which he
has access to).

Can anyone comment on this? (Don't have much experience with this kind
of thing)

Philippe De Ryck

On Thu, 2006-01-19 at 20:11 -0500, Ryan Cummings wrote:
> I'm not a expert but couldn't you script something to run everytime
> (HKLM...Run or throught LoginScripts) a user logged into a machine to
> output the username and machine to a SQL DB or the like...just an
> idea. Not sure how big your org is but even a text file something like
>
> echo %username% >> \\UNCPATHTOASERVER\\logininfo.txt
> hostname >> \\UNCPATHTOASERVER\\logininfo.txt
>
> This is pretty basic but you get the idea
>
>
> Ryan
>
>
>
>
> On 1/19/06, Nick Duda <nduda@xxxxxxxxxxxxxx> wrote:
> >
> > To continue this topic, I'm faced with the same thing....
> >
> > The problem is that with all these event id's 672, 673, 540...etc there is still no positive way to say , when a user logged on (via cntrl,alt delete) and logged off, as in shutdown or log off.
> >
> > My goal, is to use syslog or some other form of monitoring to keep records of each employees logon/logoff of a PC physically on the network. I've been knee deep into all these event id's and nothing is accurate.
> >
> > Please help.
> >
> > -----Original Message-----
> > From: List Spam [mailto:listspam@xxxxxxxxx]
> > Sent: Tuesday, January 17, 2006 10:08 AM
> > To: security-basics@xxxxxxxxxxxxxxxxx
> > Subject: Re: Windows Log
> >
> > There are many types of logins that can be performed in an an AD
> > environment. Among these are full desktop logins by a user (aka
> > interactive login), non-interactive network logins (e.g. mount a
> > share), computer accounts authenticating to the domain, etc.
> >
> > I would venture a guess that you don't want to disallow the ability to
> > log other security events, but want to easily find login events of
> > some type (see above) without having to wade through the full set of
> > logged data. If this is the case, you could simply filter the logs to
> > show the event id that is specific to the action you are looking to
> > see.
> >
> > You could use the built-in "Event Viewer" application for it,
> > EventCombMT (Google it), one of the resource kit log dumping
> > utilitities, VBScripts, or just about anything else to export this
> > info. Some VBScript examples are below:
> >
> > http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/defaultmspx
> >
> > I dare say that if you're trying to audit security on a box, you don't
> > want to hack up the data collection facility, but want to simply get
> > better use from that data.
> >
> > My two cetns.
> >
> > On 1/16/06, Rod <rod.rio@xxxxxxxxx> wrote:
> > > Hi all,
> > >
> > > I have a Win2k Server, who is my Domain Controller, and I'd like it to
> > > log only the LOGON/LOGOFF events. I know that there are a whole class
> > > of logon/logoff events, but I´d like to log only when a user logon
> > > into a machine in the domain.
> > >
> > > Hope I was clear... thx
> > >
> > >
> > > --
> > > Rodrigo M. T. Fernandez
> > > Departamento de Ciência da Computação UFRJ
> > > Grupo de Respostas a Incidentes de Segurança - GRIS UFRJ
> > > www.dcc.ufrj.br | www.gris.dcc.ufrj.br
> > >
> > > ---------------------------------------------------------------------------
> > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > > The Norwich University program offers unparalleled Infosec management
> > > education and the case study affords you unmatched consulting experience.
> > > Tailor your education to your own professional goals with degree
> > > customizations including Emergency Management, Business Continuity Planning,
> > > Computer Emergency Response Teams, and Digital Investigations.
> > >
> > > http://www.msia.norwich.edu/secfocus
> > > ----------------------------------------------------------------------------
> > >
> > >
> >
> > ---------------------------------------------------------------------------
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The Norwich University program offers unparalleled Infosec management
> > education and the case study affords you unmatched consulting experience.
> > Tailor your education to your own professional goals with degree
> > customizations including Emergency Management, Business Continuity Planning,
> > Computer Emergency Response Teams, and Digital Investigations.
> >
> > http://www.msia.norwich.edu/secfocus
> > ----------------------------------------------------------------------------
> >
> >
> >
> >
> > ---------------------
> > Confidentiality note:
> > The information in this email and any attachment may contain
> > confidential and proprietary information of VistaPrint and/or
> > its affiliates and may be privileged or otherwise protected
> > from disclosure. If you are not the intended recipient,
> > you are hereby notified that any review, reliance or distribution
> > by others or forwarding without express permission is strictly
> > prohibited and may cause liability. In case you have received this
> > message due to an error in transmission, please notify the sender
> > immediately and to delete this email and any attachment from your
> > system.
> > ---------------------
> >
> > ---------------------------------------------------------------------------
> > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> > The Norwich University program offers unparalleled Infosec management
> > education and the case study affords you unmatched consulting experience.
> > Tailor your education to your own professional goals with degree
> > customizations including Emergency Management, Business Continuity Planning,
> > Computer Emergency Response Teams, and Digital Investigations.
> >
> > http://www.msia.norwich.edu/secfocus
> > ---------------------------------------------------------------------------
> >
> >
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------------
>


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent to you in error, please contact the sender for instructions concerning return or destruction, and do not use or disclose the contents to others.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • Re: Get custom database properties from an Access database
    ... will write the script to look for an available letter, ... If you're concerned about another drive letter causing ... will have no effect on the user's interaction with the database. ... As for the server, yes, that would definitely be the way to go. ...
    (microsoft.public.scripting.vbscript)
  • Re: SSH Scans
    ... made a script that filters out the "Invalid User" entry inside ... education and the case study affords you unmatched consulting experience. ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Printer Mapping Problem/Preferances
    ... The script pretty much tells you everything you need to know. ... (not a mapping!) ... You have set up drive maps, which also implies some familiarity with the GPMC and the preferences sections more specifically. ... XP Pro computers so that when they open up My Network they see the mappings (sans the drive letter, ...
    (microsoft.public.windows.server.sbs)
  • SSH Scans
    ... made a script that filters out the "Invalid User" entry inside ... you can get the script and dictionary ... education and the case study affords you unmatched consulting experience. ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Updating the HomeFolder Attribute
    ... The last time I wrote a script like this I only put "H" in the drive letter field because the colon ":" in the UI isn't part of the drop down in the field, ... When a user logs in using their newID, the home folder doesn't map. ... If I check the information stored in the users profile it contains the ...
    (microsoft.public.scripting.vbscript)