Tips on auditing

  • Thread starter Thread starter Giovanni R.
  • Start date Start date
G

Giovanni R.

Hi all.

I have a "little" trouble on my production network.
I and my collegue suppose that someone on our network use the local machine
account "administrator" for not legal activities.
We tried to found them unfortunately. Our network is medium with about 200
clients and 40% NT machines and 60% W2000 machines.
Someone knows an automated tools that can send an alert message to the
administrators when someone use the local administrator account?

Thanks very much

John R.
 
I don't know of a tool that will do that. You can enable auditing of account
logon events or logon events on computers to track when a user logs onto a
computer. For domain machines, you will need to audit logon events to see
when someone is logging onto a particular machine with a domain account. It
would also record events when some user tries to access a share remotely on
that machine. Security events are recorded in the security log in Event
Viewer and you can use the filter view to narrow a search and use something
like Event Comb to scan the logs of multiple machines remotely assuming you
have administrator rights on those machines.

You may also need to review membership of the local administrators group on
your machines and change passwords if you feel there is unathorized access
and make sure you are using complex passwords for those accounts. Keep in
mind it is very easy for someone with physical access to a machine to reset
the administrator account password if they can boot from a floppy, cdrom, or
device other that the system drive. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
prodtech/win2000/secwin2k/09detect.asp
http://tinyurl.com/vtyv -- Same link as above, shorter in case of wrap.
 
Ok.
But, my purpose was only to "see" when someone use this account.... in other
words, we want to find them.

I've heard something on some software that do that. In fact some network
scanner retrieve the user currently logged. but no one, in my memory, alert
someone if a particular logon is made.

many thanks Setve.

John R.
 
That is pretty much what I know also. Here is something you could try. It is not the
easiest to implement on a large number of machines, but if you have it narrowed down
you could use Task Scheduler and create a task that would execute a batch file of
some sort [maybe net send with a message identifying computer] when the local
administrator logs on. --- Steve
 
Here's how you can do it: enable windows auditing [
http://securityadmin.info/faq.asp#auditing ] if you haven't already [e.g. if
your windows security event logs on your computers are empty] use something
like www.ipsentry.com $100 US to monitor the event logs. You would need to
put it on a dedicated machine, as using it to monitor event logs remotely is
resource intensive. IPSentry can send you all sorts of alerts when certain
log entries are found... NET SEND popups, SMTP email, use a modem to call
your pager, etc. This might be the most reliable way to do this.

If you prefer, you can use a batch file that runs a windows log dumping
utility such as the free one from www.sysinternals.com to go remotely to
each computer and dump the security event log and inspect it for new
entries. The batch file can also send you NET SEND messages, emails using
the free BLAT utility, etc. I've used both of these two methods myself to
get alerts based on windows security log events. I used the DUMPEL utility
from the Microsoft windows resource kit [which is not free] but I found it
to give unreliable results when trying to dump the security log remotely.

Or, you can use something like the free NTSyslog / NT Syslog utility found
in www.google.com on all workstations to spit out the windows security event
logs to a central syslog computer running something like the free
www.kiwisyslog.com client.


Steven L Umbach said:
That is pretty much what I know also. Here is something you could try. It is not the
easiest to implement on a large number of machines, but if you have it narrowed down
you could use Task Scheduler and create a task that would execute a batch file of
some sort [maybe net send with a message identifying computer] when the local
administrator logs on. --- Steve


Giovanni R. said:
Ok.
But, my purpose was only to "see" when someone use this account.... in other
words, we want to find them.

I've heard something on some software that do that. In fact some network
scanner retrieve the user currently logged. but no one, in my memory, alert
someone if a particular logon is made.

many thanks Setve.

John R.

account.
It remotely
on assuming
you group
on cdrom,
or
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ about
200
Click to expand...
Click to expand...
 
Cool. Thanks Karl. --- Steve

Karl Levinson [x y] mvp said:
Here's how you can do it: enable windows auditing [
http://securityadmin.info/faq.asp#auditing ] if you haven't already [e.g. if
your windows security event logs on your computers are empty] use something
like www.ipsentry.com $100 US to monitor the event logs. You would need to
put it on a dedicated machine, as using it to monitor event logs remotely is
resource intensive. IPSentry can send you all sorts of alerts when certain
log entries are found... NET SEND popups, SMTP email, use a modem to call
your pager, etc. This might be the most reliable way to do this.

If you prefer, you can use a batch file that runs a windows log dumping
utility such as the free one from www.sysinternals.com to go remotely to
each computer and dump the security event log and inspect it for new
entries. The batch file can also send you NET SEND messages, emails using
the free BLAT utility, etc. I've used both of these two methods myself to
get alerts based on windows security log events. I used the DUMPEL utility
from the Microsoft windows resource kit [which is not free] but I found it
to give unreliable results when trying to dump the security log remotely.

Or, you can use something like the free NTSyslog / NT Syslog utility found
in www.google.com on all workstations to spit out the windows security event
logs to a central syslog computer running something like the free
www.kiwisyslog.com client.


Steven L Umbach said:
That is pretty much what I know also. Here is something you could try. It is not the
easiest to implement on a large number of machines, but if you have it narrowed down
you could use Task Scheduler and create a task that would execute a batch file of
some sort [maybe net send with a message identifying computer] when the local
administrator logs on. --- Steve


Giovanni R. said:
Ok.
But, my purpose was only to "see" when someone use this account.... in other
words, we want to find them.

I've heard something on some software that do that. In fact some network
scanner retrieve the user currently logged. but no one, in my memory, alert
someone if a particular logon is made.

many thanks Setve.

John R.

"Steven L Umbach" <[email protected]> ha scritto nel messaggio
I don't know of a tool that will do that. You can enable auditing of
account
logon events or logon events on computers to track when a user logs onto a
computer. For domain machines, you will need to audit logon events to see
when someone is logging onto a particular machine with a domain account.
It
would also record events when some user tries to access a share remotely
on
that machine. Security events are recorded in the security log in Event
Viewer and you can use the filter view to narrow a search and use
something
like Event Comb to scan the logs of multiple machines remotely assuming
you
have administrator rights on those machines.

You may also need to review membership of the local administrators group
on
your machines and change passwords if you feel there is unathorized access
and make sure you are using complex passwords for those accounts. Keep in
mind it is very easy for someone with physical access to a machine to
reset
the administrator account password if they can boot from a floppy, cdrom,
or
device other that the system drive. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;en-us;q248260

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
prodtech/win2000/secwin2k/09detect.asp
http://tinyurl.com/vtyv -- Same link as above, shorter in case of wrap.


Hi all.

I have a "little" trouble on my production network.
I and my collegue suppose that someone on our network use the local
machine
account "administrator" for not legal activities.
We tried to found them unfortunately. Our network is medium with about
200
clients and 40% NT machines and 60% W2000 machines.
Someone knows an automated tools that can send an alert message to the
administrators when someone use the local administrator account?

Thanks very much

John R.
Click to expand...
Click to expand...
Click to expand...
 
This could also be helpful:

http://www.monitorware.com/Common/en/Articles/Detecting-Password-Attacks-Windows.asp

It is not exactly what you are looking for but close enough to apply the principle.

Rainer

Steven Umbach said:
Cool. Thanks Karl. --- Steve

Karl Levinson [x y] mvp said:
Here's how you can do it: enable windows auditing [
http://securityadmin.info/faq.asp#auditing ] if you haven't already [e.g. if
your windows security event logs on your computers are empty] use something
like www.ipsentry.com $100 US to monitor the event logs. You would need to
put it on a dedicated machine, as using it to monitor event logs remotely is
resource intensive. IPSentry can send you all sorts of alerts when certain
log entries are found... NET SEND popups, SMTP email, use a modem to call
your pager, etc. This might be the most reliable way to do this.

If you prefer, you can use a batch file that runs a windows log dumping
utility such as the free one from www.sysinternals.com to go remotely to
each computer and dump the security event log and inspect it for new
entries. The batch file can also send you NET SEND messages, emails using
the free BLAT utility, etc. I've used both of these two methods myself to
get alerts based on windows security log events. I used the DUMPEL utility
from the Microsoft windows resource kit [which is not free] but I found it
to give unreliable results when trying to dump the security log remotely.
Click to expand...
Click to expand...
[snip]
 
Back
Top