Re: Special privileges assigned to new logon??

So....Since the user doesn't work at 3am in the morning, am I right to be
concerned about this type 3 logon being suspicious? Or is it possible that
it's just system files doing updates or something?

I have checked memberships. The rights I assume are associated with these
memberships - non? Or is there some place in particular I should examine
their specific rights. Forgive me, I'm drawing a complete blank on rights. I
understand completely about the levels of user and security group
memberships, but specific rights?
thanks for your help with this.

"Steven L Umbach" wrote:

> Be sure to check the user rights also. Type 3 logon is a network logon such
> as when a user access a share on a computer.
>
> http://www.windowsecurity.com/articles/Logon-Types.html --- Windows logon
> types
>
> Assuming you are using Windows 2000/2003/XP Pro you enable auditing in Local
> Security Policy [secpol.msc] and go to local policies/audit policy. The link
> below explains more. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260 --- same
> for XP Pro and Windows 2003.
>
> "instauratio" <instauratio@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:3B4176B6-7915-4FF3-8E37-DA2DB3C0A412@xxxxxxxxxxxxxxxx
> >I checked the users memberships. They are as they should be.
> >
> > The logon types are (there are a number of logons and logoffs that all
> > take
> > place in a very short span) they are all type 3.
> >
> > Dumb question: how do I enable auditing of "account management and policy
> > change"?
> >
> > I have security logging?
> >
> > Thanks
> >
> > "Steven L Umbach" wrote:
> >
> >> Check Local Security Policy/local policies/user rights to see if that
> >> user
> >> does indeed have the user right for impersonate user after logon. By
> >> default
> >> the administrators group has that user right. I would also check his
> >> account
> >> for group membership to see if it was you expect. If you have enabled
> >> auditing of account management and policy change you could see if his
> >> user
> >> account has had it's group membership changed and by who and if user
> >> rights
> >> were changed on the computer and by who. If the user is shown to have
> >> logged
> >> on at a time when he was not there then that is a reason for concern
> >> unless
> >> a Scheduled Task or such ran on a schedule that used his credentials but
> >> the
> >> logon type should indicate that. Type 2 logons are direct keyboard logons
> >> or
> >> via Remote Desktop/TS on a Windows 2000 computer while for XP/2003
> >> computers
> >> they could only be keyboard logon. --- Steve
> >>
> >>
> >> "instauratio" <instauratio@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:F944DB90-A9E2-4F1E-AE91-373E4022178C@xxxxxxxxxxxxxxxx
> >> >I have a user who works partime during the day. They just started.
> >> >
> >> > Today, I'm looking through the event log for successful logon or logoff
> >> > and
> >> > I see the logon name with the event 576
> >> > Privileges: SELoadDriverPrivilege
> >> > Privileges: SeImpersonatePrivilege
> >> >
> >> > When I follow the link to microsoft for explanation, I'm alarmed by the
> >> > cautionary remarks. In short I think that this is evidence of a hack.
> >> > The
> >> > user did not login at the specified time, and certainly would not have
> >> > the
> >> > know how or the rights to assign special privileges. I am the only
> >> > admin
> >> > here. Can someone please advise me on what I'm seeing?
> >> > Thanks
> >> >
> >>
> >>
> >>
>
>
>
.

Relevant Pages

  • Re: Assiging permissions for a group to logon to a domain controll
    ... Windows Settings>Security Settings>Locla Policies>User Rights ... Allow logon through Terminal Services. ... To grant a user these permissions, start either the Active Directory Users ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Issue after establishing a 2-way trust between 2 forests
    ... Best regards ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Thought I'd let you know a new good news, they can logon without ...
    (microsoft.public.windows.server.general)
  • About Windows 2003 Server security guide ans Rights Management
    ... My question is about the rights and privilege assignments. ... and privilige options needed for IIS, that the baseline security will do just ... Making a full inventory of the rights and priviliges: ... - logon as batch job ...
    (microsoft.public.windows.group_policy)
  • Re: remote desktop rights on domain controller
    ... First of for domain controllers user rights must be configured in Domain ... Controller Security Policy - not local policy. ... The user right for logon ... Group on the domain controller if using Windows 2003. ...
    (microsoft.public.windows.server.security)
  • Re: Issue after establishing a 2-way trust between 2 forests
    ... Best regards ... This posting is provided "AS IS" with no warranties, and confers no rights. ... Thought I'd let you know a new good news, they can logon without local ...
    (microsoft.public.windows.server.general)