Security Event Log madness.

  • Thread starter Thread starter Nunya Beeswax
  • Start date Start date
N

Nunya Beeswax

We've had a student in our school system delete a ton of files on
a server that were wide-open to students. The permissions allowed
students to delete files because Microsoft Office files need 'Delete'
permissions or they'll create the filename but the file will be empty.
The students have their own individual folder for saving files that
only they can access but most of the teachers had them using the
'open' folder. I recovered everything from our backup, but we don't
want to let this slide.
Anyway, I know the username of the student that deleted the
files. But, I need to determine the computer they did it from. I
know it's one of two computers. I have the security logs from both
domain controllers, the file server the files were deleted from and
the computers she logged in on. I see clearly in the log from the
file server that she deleted the files. But, it doesn't tell me what
computer the delete command was executed from. I don't see anything
in ANY of the other security logs that tells me what computer the
delete command came from.
I see events 540 & 576 in the log of one of the domain
controllers involving this user, but the 'Workstation Name' field is
blank in the 540 events. Surely to God above there is some way to
find out what computer she actually used, but I don't see anything in
any of these logs that tells me.
I need to know what computer she deleted the files from. Also,
if someone can point me to a good book or online resource that tells
me how to make sense of the event logs I would REALLY appreciate it.
Any light you can shed on this would be GREATLY appreciated.
 
Nunya said:
We've had a student in our school system delete a ton of files on
a server that were wide-open to students. The permissions allowed
students to delete files because Microsoft Office files need 'Delete'
permissions or they'll create the filename but the file will be empty.
The students have their own individual folder for saving files that
only they can access but most of the teachers had them using the
'open' folder. I recovered everything from our backup, but we don't
want to let this slide.
Anyway, I know the username of the student that deleted the
files. But, I need to determine the computer they did it from. I
know it's one of two computers. I have the security logs from both
domain controllers, the file server the files were deleted from and
the computers she logged in on. I see clearly in the log from the
file server that she deleted the files. But, it doesn't tell me what
computer the delete command was executed from. I don't see anything
in ANY of the other security logs that tells me what computer the
delete command came from.
I see events 540 & 576 in the log of one of the domain
controllers involving this user, but the 'Workstation Name' field is
blank in the 540 events. Surely to God above there is some way to
find out what computer she actually used, but I don't see anything in
any of these logs that tells me.
I need to know what computer she deleted the files from. Also,
if someone can point me to a good book or online resource that tells
me how to make sense of the event logs I would REALLY appreciate it.
Any light you can shed on this would be GREATLY appreciated.
Click to expand...

Do you know when the files were deleted? If so you could run the
eventcomb tool (free from somewhere on microsoft.com) to run over the
event logs which should tell you which machine they were on.

BTW, why do you need to know which workstation it was? If you got her
bang to rights why do you need to know where it was done from.
 
I know that it was her username that deleted the files. But, she
was logged onto two computers at the same time. She claims that a
friend was using one of the computers logged in under her username
(students have been told repeatedly not to do that) and that the
friend was supposed to log her off. So, even though I know it was her
username, I need to know the computer it was done on. There is a
camera that shows these computers. So, if I know what computer she
or her friend, was on, they can't deny it. Right now, they can blame
it on each other.
 
They can "blame" whomever they want, but the responsible party is clear ...
If the students have been instructed not to share usernames and passwords,
and they do, then the person sharing the username and password is
responsible ... If her username and password were compromised by the other
person, then you might have an issue, but if she gave it out, she's the one
who is responsible for the deleted files, regardless ...
 
You're 1,000,000 percent correct. But, logic doesn't come into
play when you've got parents trying to protect their kids from being
punished because THIER child isn't possibly CAPABLE of doing anything
wrong. It's just like jail or prison. Almost every student is
innocent when it comes time to get punished. We have to prove beyond
doubt who did what and when. And I'm soooo close.
 
Also, I know that I CAN get the computer name. The problem is
that I don't know what to look for. Should I look at the log on the
file server or the workstations? What event IDs am I looking for? I
have seen events that have a field that shows what computer the event
was generated from. But, those fields are blank. I obviously don't
know squat about this so I need some hand-holding. I know how to use
EventComb, but I don't know what I'm looking for. I know about
EventID.net, but that only shows me specific info about specific event
IDs. I would be very greatful if you could point me in the right
direction or even point me to a good tutorial about how to make sense
of the event logs. I've done a ton of research on the net, but I
haven't found a tutorial. Thank you in advance from an event-log
idiot.
 
The links below may help. There are often a sequence of numbers/letters in
the primary logon ID and such in object access events. I don't know if these
indicate the computer. Since you know the computers, you could try to
generate some object access events from each one to see if you can use the
information in the primary logon ID to determine which computer it was.

http://www.windowsitpro.com/Windows/Articles/ArticleID/20563/pg/2/2.html
http://www.microsoft.com/technet/security/prodtech/windows2000/secmod144.mspx

For the future, if you have a Windows 2003 domain controller or can install
one you can use the new limitlogon tool to enforce the numbers of computers
that a user is logged onto at the same time. You can also specify what
domain computers a user can logon to in their account properties in Active
Directory Users and Computers and configure the user rights for logon
locally and deny logon locally to manage what computers users/groups can
logon to. -- Steve

http://www.thincomputing.net/newsitem296.html
 
Nunya said:
You're 1,000,000 percent correct. But, logic doesn't come into
play when you've got parents trying to protect their kids from being
punished because THIER child isn't possibly CAPABLE of doing anything
wrong. It's just like jail or prison. Almost every student is
innocent when it comes time to get punished. We have to prove beyond
doubt who did what and when. And I'm soooo close.
Click to expand...
Have you got a clearly defined user policy which says they are not
allowed to log in as somebody else which both they and there parent's
sign (we have), if so and she's admitting that they did it then you're
rocking and rolling. As we say: "Your username, your password, you're
guilty!"

If you want a copy of our student AUP then I'll email you one if you like?
 
Back
Top