Re: Help with Security Audits

From: Jeremiah Beckett (JeremiahBeckett_at_discussions.microsoft.com)
Date: 06/02/05 

Date: Thu, 2 Jun 2005 13:28:04 -0700

Check out the new System Controls MP from Manakoa. It provides auditing
guidance and base collection of key security events that might be useful for
future monitoring of your systems.

http://www.manakoa.com/products/scmp/

"Steven L Umbach" wrote:

> Check to see if there is a local user account by that name on the server.
> The command net users would be a quick way. For a domain computer, domain
> accounts could also be used to attempt access. When you say profile I don't
> know if you mean user account or user profile as the term seems to be
> interchanged a lot. A profile will not be created until the user logs onto
> the computer at the console or via TS. If that computer should not be
> offering network shares then disable file and print sharing on it or modify
> the user right for access this computer from the network to include only the
> users/groups that should be accessing shares on the computer. It would also
> be a good idea to have auditing of account management enabled to see if
> unauthorized user accounts are being created/deleted. --- Steve
>
>
> "WP" <WP@discussions.microsoft.com> wrote in message
> news:7921EF0D-005C-4A69-B3EF-54DAE1B11FE0@microsoft.com...
> >I have a win2k terminal server with citrix installed
> > I have auditing setup on this server for successful and unsuccessful logon
> > events
> > In my event viewer I have this
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 540
> > Date: 6/1/2005
> > Time: 6:36:40 AM
> > User: RMH\ecoombs
> > Computer: RMH-CITRIX-1
> > Description:
> > Successful Network Logon:
> > User Name: xxxxxxx
> > Domain: xxxxx
> > Logon ID: (0x0,0xE5CD350)
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: xxxxxxxx
> > This user doesnt show a profile on the server so I am wondering how to
> > track
> > down what type of activity it was
> > This user shouldnt be accessing this server
> > Thanks in advance
> >
>
>
>

Relevant Pages

  • Re: Auditing object access from network
    ... server with domain member clients accessing the target file structure via ... I want to audit file deletions in specific directories of a file server, ... NOT BY USERS ACCESSING FILES VIA THE NETWORK. ... Set up auditing ACLs for every entity in Active Directory, ...
    (microsoft.public.win2000.security)
  • RE: filenames changing
    ... Mal is right, let's turn on file auditing, and troll the security log ... the server resides, right-click on it and click Properties. ... On the Group Policy tab, select a GPO and click Edit (if there's no GPO ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • SBS2K Server, how to change local policy, auditing on. Make Effective Setting.
    ... I ran Microsoft's MBSA 1.2.1 and noticed that auditing was not on on one ... I turned auditing on for the domain on the server, ... Effective Setting set is "Audit Account Management." ... Was I supposed to instead of editing the default domain policy in Active ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: URLSCAN.INI 0 Bytes in length
    ... I have turned on auditing now for that file. ... There are 10 websites running on this server. ... and am going to apply SP4 and see if I have any problems on it. ... > I'd suggest you check the event viewer and IIS logfiles. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Event ID 538/540/576 fills up Security Log!!
    ... Maybe you don't have auditing for "privilige use" enabled on ... > I wonder why would this happen and if it's really related to backup jobs. ... > Could it be just issues of Exchange Server 2000?? ...
    (microsoft.public.win2000.security)