Log anonymous share access

  • Thread starter Thread starter nicolasfr
  • Start date Start date
N

nicolasfr

Hi,

I found on my network a windows 2000 Pro computer with the whole D:
drive shared without restriction. I suspect someone did this for bad
reasons, so I want to log all access to this share, but the event
viewer does not record the IP adress of who access the drive, all I can
see is "Anonymous user logon" or something like that. I suspect that it
is not possible to enable IP recording in the security audit policy, so
do you know a tool which would allow me to do that?

Nicolas.
 
Why don't you configure the share so that only authorized users/groups can
access it instead?? Possibly the whole drive does not need to be accessed
either. It makes more sense to enable shares at the top folder where access
is needed which usually is not the whole drive. An anonymous user would not
be able to access the share unless it is configured to be a null share [very
unlikely] or the guest account is enabled. The guest account by default is
not enabled. The hidden C$ share is for access only by administrators if
that is what you are talking about. --- Steve
 
All I want to do is logging user's IP who connect anonymously to a
share... I thought it should be a simple task to do, but after one hour
of googleing, I still cannot find a way to do it...
 
You can audit who connects to a computer and who accesses a folder/file by
enabling auditing of logon events and then enabling auditing of object
access which would then allow you to audit access to folder/file
permissions. You could correlate the object access events to logon events in
the security log to get an idea what user is accessing from what computer.
The security log for logon events may not record IP address but it at least
will record computer name. As long as the computer is on your network the
name should allow you to find the IP by using the ping command or looking in
the wins/dhcp/dns records.

To reliably find IP address you may want to install a software firewall like
Sygate on the computer even if you disable the firewall ability to use it
for its extensive logging. The links below may help. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260
http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://www.microsoft.com/technet/se...andmonitoring/securitymonitoring/default.mspx
http://www.microsoft.com/technet/security/prodtech/windows2000/secwin2k/default.mspx
--- chapter nine.
http://www.snapfiles.com/Freeware/security/fwfirewall.html --- software
firewalls including Sygate
 
Back
Top