Re: Special privileges assigned to new logon??



User rights are computer level configuration and specify what users/groups
can do what tasks such as logon locally and load and unload device drivers.
You can see what the user rights assignments are in Local Security Policy.
For more information on user rights I would suggest that you read the
Windows XP Security Guide and the Threats and Countermeasures Guides a shown
in the links below.

http://www.microsoft.com/technet/security/prodtech/windowsxp/secwinxp/xpsgch03.mspx
http://www.microsoft.com/technet/security/topics/serversecurity/tcg/tcgch04n.mspx

A type 3 network logon at 3AM could be suspicious but not necessarily
malicious. It should show the computer that the user made this logon from
and that information may help in the determination. Also find if the user
logged of for the day. If the user just locks his computer it is possible
that the operating system may try to access other computers particularly
domain controllers for authentication or Group Policy refresh or computers
that have shares that the user uses such as via a mapped drive. --- Steve

"instauratio" <instauratio@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:983D6F92-C29C-4D04-9161-068697AF04D6@xxxxxxxxxxxxxxxx
> So....Since the user doesn't work at 3am in the morning, am I right to be
> concerned about this type 3 logon being suspicious? Or is it possible that
> it's just system files doing updates or something?
>
> I have checked memberships. The rights I assume are associated with these
> memberships - non? Or is there some place in particular I should examine
> their specific rights. Forgive me, I'm drawing a complete blank on rights.
> I
> understand completely about the levels of user and security group
> memberships, but specific rights?
> thanks for your help with this.
>
> "Steven L Umbach" wrote:
>
>> Be sure to check the user rights also. Type 3 logon is a network logon
>> such
>> as when a user access a share on a computer.
>>
>> http://www.windowsecurity.com/articles/Logon-Types.html --- Windows
>> logon
>> types
>>
>> Assuming you are using Windows 2000/2003/XP Pro you enable auditing in
>> Local
>> Security Policy [secpol.msc] and go to local policies/audit policy. The
>> link
>> below explains more. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260 ---
>> same
>> for XP Pro and Windows 2003.
>>
>> "instauratio" <instauratio@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:3B4176B6-7915-4FF3-8E37-DA2DB3C0A412@xxxxxxxxxxxxxxxx
>> >I checked the users memberships. They are as they should be.
>> >
>> > The logon types are (there are a number of logons and logoffs that all
>> > take
>> > place in a very short span) they are all type 3.
>> >
>> > Dumb question: how do I enable auditing of "account management and
>> > policy
>> > change"?
>> >
>> > I have security logging?
>> >
>> > Thanks
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Check Local Security Policy/local policies/user rights to see if that
>> >> user
>> >> does indeed have the user right for impersonate user after logon. By
>> >> default
>> >> the administrators group has that user right. I would also check his
>> >> account
>> >> for group membership to see if it was you expect. If you have enabled
>> >> auditing of account management and policy change you could see if his
>> >> user
>> >> account has had it's group membership changed and by who and if user
>> >> rights
>> >> were changed on the computer and by who. If the user is shown to have
>> >> logged
>> >> on at a time when he was not there then that is a reason for concern
>> >> unless
>> >> a Scheduled Task or such ran on a schedule that used his credentials
>> >> but
>> >> the
>> >> logon type should indicate that. Type 2 logons are direct keyboard
>> >> logons
>> >> or
>> >> via Remote Desktop/TS on a Windows 2000 computer while for XP/2003
>> >> computers
>> >> they could only be keyboard logon. --- Steve
>> >>
>> >>
>> >> "instauratio" <instauratio@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:F944DB90-A9E2-4F1E-AE91-373E4022178C@xxxxxxxxxxxxxxxx
>> >> >I have a user who works partime during the day. They just started.
>> >> >
>> >> > Today, I'm looking through the event log for successful logon or
>> >> > logoff
>> >> > and
>> >> > I see the logon name with the event 576
>> >> > Privileges: SELoadDriverPrivilege
>> >> > Privileges: SeImpersonatePrivilege
>> >> >
>> >> > When I follow the link to microsoft for explanation, I'm alarmed by
>> >> > the
>> >> > cautionary remarks. In short I think that this is evidence of a
>> >> > hack.
>> >> > The
>> >> > user did not login at the specified time, and certainly would not
>> >> > have
>> >> > the
>> >> > know how or the rights to assign special privileges. I am the only
>> >> > admin
>> >> > here. Can someone please advise me on what I'm seeing?
>> >> > Thanks
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>


.



Relevant Pages

  • Re: XP network and security issue
    ... Did you change any of the User Rights or Security Options in your Local ... Security Policy around the time this stopped working? ... you are attempting to use has been granted the Network and Interactive logon ...
    (microsoft.public.windowsxp.security_admin)
  • Re: current user rights
    ... Apparently the problem is that the users security token does not contain his ... > i've got a question about current user rights and access. ... > an user logon script depends on situation initiates another script (via ... > to any resource like CU isn't member of local admins group and this is the ...
    (microsoft.public.security)
  • Re: denying logon access to server
    ... You can also configure the "access this computer from the network" (and ... "allow logon through terminal services" if applicable) user rights ... A good place to start is the Windows Server 2003 Security ... admin and the accounting group logon access to this server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Windows Login Security
    ... user can logon to in their account properties in AD Users and Computers. ... You can also configure the user rights for logon locally, deny ...
    (microsoft.public.windows.server.security)
  • Re: Restrict Logon Location
    ... In Windows you can restrict the user logon to specific domain computers in ... User rights are located in security ... policy under security settings/local policies/user rights. ...
    (microsoft.public.windows.server.active_directory)