Re: Help Needed in interpreting Security Audit Logs
- From: Jesper <Jesper@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 30 Dec 2006 08:18:01 -0800
Naah. I'm not nearly that good. Sorry. :-)
I wonder if it would even be possible to tell based on the event. Since the
event is logged on the DC, and the code path it gets logged with is the same
regardless of the client I don't think you could. The only thing the client
actually controls in that event is the source port, and all Windows systems
are designed to use random ephemeral ports in the 1024-5000 range.
FWIW, in Vista you get slightly more information, such as the workstation
name, but nothing to really help you tell what OS they were running.
"Roger Abell [MVP]" wrote:
Thanks for the clarity..
I was assuming you were picking up on some small semantic
distinction based on how the event fields were instanced.
Roger
"Jesper" <Jesper@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B7AC2A77-A746-4610-9B78-6F1A093F7A3B@xxxxxxxxxxxxxxxx
Inadvertently. :-)
Good catch Roger. I should have said Win2K or higher. My mistake. I was
going on the fact that it used Kerb. I think I was thinking "current OS
minus
one", as I have for five years, but this time I arrived at XP. Obviously a
Win2K client could cause the same error to be generated. Even a Unix
client
could, technically speaking.
"Roger Abell [MVP]" wrote:
Hi Jesper,
I am curious
<quote>
The logon must be coming from a Windows XP machine or higher
</quote>
Why was W2k ruled out?
Roger
"Jesper" <Jesper@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5620CD07-5C9C-46A9-B185-534495F5DE86@xxxxxxxxxxxxxxxx
There is no way to tell for sure unless you audit all the resources.
Logon
type 3 is a network logon, in other words, the user is accessing a
shared
network resource. The logon must be coming from a Windows XP machine or
higher, that is a member of the domain, because it uses Kerberos. Was
the
workstation name blank in the original log entry?
This could be as simple as a user that is trying to find out what
shares
are
on the server. Without knowing more about what was in the event and
what
resources are shared on that server we can't tell for sure.
The connection between this event and the shutdown event was unclear.
Are
you implying that this user caused the shutdown? There should be a log
entry
for the shutdown event itself. It would be a 1074 event, and should
include
the name of the user that initiated it.
"Yogesh S" wrote:
We are struggling to figure out what is going wrong with our Win 2003
Server
machine. This machine was given a remote shutdown instruction and we
are
investigating the security log. But upon investigation we saw several
of
this
log logon-logoff entries. I have removed the actual user and domain
name
for
security purpose.
Successful Network Logon:
User Name: xyzuser
Domain: DOMAIN1
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
User Logoff:
User Name: xyzuser
Domain: DOMAIN1
Logon Type: 3
We clearly see that this user doesn't have any kind of shared network
connection to this win2003 machine and still we see this entry in our
log.
Any idea what is happening. Are there any tool which can precisely
give
us
the info as to which user is tryinbg to login and what resource he is
trying
to access.
Regards
Yogesh S
- References:
- Re: Help Needed in interpreting Security Audit Logs
- From: Roger Abell [MVP]
- Re: Help Needed in interpreting Security Audit Logs
- From: Jesper
- Re: Help Needed in interpreting Security Audit Logs
- From: Roger Abell [MVP]
- Re: Help Needed in interpreting Security Audit Logs
- Prev by Date: Re: User Rights for IUSR_xxxx and ASPNET?
- Next by Date: Re: Looking for domain security tool
- Previous by thread: Re: Help Needed in interpreting Security Audit Logs
- Next by thread: RE: Idle lock coputer
- Index(es):
Relevant Pages
|
|
