Re: Special privileges assigned to new logon??
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 12 Jan 2006 22:22:40 -0600
Be sure to check the user rights also. Type 3 logon is a network logon such
as when a user access a share on a computer.
http://www.windowsecurity.com/articles/Logon-Types.html --- Windows logon
types
Assuming you are using Windows 2000/2003/XP Pro you enable auditing in Local
Security Policy [secpol.msc] and go to local policies/audit policy. The link
below explains more. --- Steve
http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260 --- same
for XP Pro and Windows 2003.
"instauratio" <instauratio@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3B4176B6-7915-4FF3-8E37-DA2DB3C0A412@xxxxxxxxxxxxxxxx
>I checked the users memberships. They are as they should be.
>
> The logon types are (there are a number of logons and logoffs that all
> take
> place in a very short span) they are all type 3.
>
> Dumb question: how do I enable auditing of "account management and policy
> change"?
>
> I have security logging?
>
> Thanks
>
> "Steven L Umbach" wrote:
>
>> Check Local Security Policy/local policies/user rights to see if that
>> user
>> does indeed have the user right for impersonate user after logon. By
>> default
>> the administrators group has that user right. I would also check his
>> account
>> for group membership to see if it was you expect. If you have enabled
>> auditing of account management and policy change you could see if his
>> user
>> account has had it's group membership changed and by who and if user
>> rights
>> were changed on the computer and by who. If the user is shown to have
>> logged
>> on at a time when he was not there then that is a reason for concern
>> unless
>> a Scheduled Task or such ran on a schedule that used his credentials but
>> the
>> logon type should indicate that. Type 2 logons are direct keyboard logons
>> or
>> via Remote Desktop/TS on a Windows 2000 computer while for XP/2003
>> computers
>> they could only be keyboard logon. --- Steve
>>
>>
>> "instauratio" <instauratio@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:F944DB90-A9E2-4F1E-AE91-373E4022178C@xxxxxxxxxxxxxxxx
>> >I have a user who works partime during the day. They just started.
>> >
>> > Today, I'm looking through the event log for successful logon or logoff
>> > and
>> > I see the logon name with the event 576
>> > Privileges: SELoadDriverPrivilege
>> > Privileges: SeImpersonatePrivilege
>> >
>> > When I follow the link to microsoft for explanation, I'm alarmed by the
>> > cautionary remarks. In short I think that this is evidence of a hack.
>> > The
>> > user did not login at the specified time, and certainly would not have
>> > the
>> > know how or the rights to assign special privileges. I am the only
>> > admin
>> > here. Can someone please advise me on what I'm seeing?
>> > Thanks
>> >
>>
>>
>>
.
- Follow-Ups:
- Re: Special privileges assigned to new logon??
- From: instauratio
- Re: Special privileges assigned to new logon??
- References:
- Re: Special privileges assigned to new logon??
- From: Steven L Umbach
- Re: Special privileges assigned to new logon??
- Prev by Date: EFS For Dummies (me)
- Next by Date: Re: EFS For Dummies (me)
- Previous by thread: Re: Special privileges assigned to new logon??
- Next by thread: Re: Special privileges assigned to new logon??
- Index(es):
Relevant Pages
|
