Logging IP address when Administrator logs in

  • Thread starter Thread starter Elias Arends
  • Start date Start date
E

Elias Arends

Hello all:

We have a Win2K domain and there are several people who
know the admin password. We need to start tracking from
which PCs the Administrator user is logging in. Is there a
way to log the IP address of the machine where the
Administrator user is logging in?? If not, do you know of
any 3rd party solutions for this? Thanks.

Elias Arends
 
If you enable auditing of account logons in Domain Controller Security policy it will
show when a user logs onto the domain in the security log of the domain controller
that authenticated the user and if you enable auditing of logon events on domain
computers it will record a logon event in the security log of the computer that the
user logged onto. However it may show the machine name or IP address. On the lan that
should be adequate as you should be able to resolve a computer name to an IP address.
I would recommend that you create separate accounts for users that need to be domain
administrators and NOT share the password. In addition you need to give that power to
a minimum number of people you trust. Most of domain administration can be delegated
to users who are regular users and domain users can be added to the local
administrators account on domain computers they need to manage. Domain administrators
should be reserved for things like creating trusts, adding domains, tcp/ip
configuration of domain controllers, changing security policy, and such. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx -- auditing
procedures
 
There is no way to do this natively [unless you use Windows XP or 2003
and enable the Windows firewall]. The only way I know of to do this
is to enable a firewall or sniffer, even one configured not to block
anything, just log, and try to correlate the firewall log with your
Windows security log.

One thing that can make this correlation easier might be to use a free
or not-free syslog tool like NTSYSLOG [there's at least one other out
there] along with a free syslog server like www.kiwisyslog.com to push
both logs to the same syslog server in real time.

Free firewalls and sniffers: www.sygate.com, www.kerio.com, and
www.ethereal.com
 
Back
Top