dshockey
asked on
Where Are Active Directory Security Logs?
Simple question: I recently set up a Windows 2000 Active Directory for a small office. It has worked well except for a couple of user accounts that got locked out for unknown reasons. My policy allows up to 5 bad logins within an hour before locking out an account and nobody remembers typing bad passwords. (Nobody ever does... :-) ) Anyway, back in the old days of Win NT 4, I would just go to the event log on the domain controller and see when the bad logins occurred. On Win2k, however, I'm not seeing anything relating to AD logins on the event log. I'm pretty sure I have auditing turned on for all of the appropriate AD events. Where would I look for logs of these AD events?
--> Daryl Shockey
--> Daryl Shockey
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:
http://housecall.trendmicro.com/housecall/start_corp.asp
Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:
http://www.trendmicro.com/download/tsc.asp
If you get's an ActiveX error, when loading the HouseCall web page:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=4317
If you want to secure your company's workstations in the future, consider to purchase OfficeScan:
http://www.trendmicro.com/en/products/desktop/osce/evaluate/features.htm
If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from
http://www.trendmicro.com/en/products/global/enterprise.htm
Virus Information Alliance (VIA)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/via.asp
Review of the best antivirus solutions:
http://www.cnet.com/software/1,11066,0-806174-1202-0,00.html?tag=dir-av&pn=1&ob=3&qt=&qn=&F2=0&F3=0&sm=0
SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp
http://housecall.trendmicro.com/housecall/start_corp.asp
Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:
http://www.trendmicro.com/download/tsc.asp
If you get's an ActiveX error, when loading the HouseCall web page:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=4317
If you want to secure your company's workstations in the future, consider to purchase OfficeScan:
http://www.trendmicro.com/en/products/desktop/osce/evaluate/features.htm
If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from
http://www.trendmicro.com/en/products/global/enterprise.htm
Virus Information Alliance (VIA)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/via.asp
Review of the best antivirus solutions:
http://www.cnet.com/software/1,11066,0-806174-1202-0,00.html?tag=dir-av&pn=1&ob=3&qt=&qn=&F2=0&F3=0&sm=0
SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp
Getting a personal Firewall
http://www.zensecurity.co.uk/default.asp?URL=personal
Download the free version of Sygate personal firewall
http://smb.sygate.com/support/documents/spf/default.htm
http://smb.sygate.com/download/download.php?pid=spf
Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za
Comparative reviews of personal firewall software:
http://www.firewallguide.com/software.htm
Firewall Product Selector - Choose yourself which one to compare
http://www.spirit.com/cgi-new/report.pl?dbase=fw&function=view
The Internet Connection Firewall Can Prevent Browsing and File Sharing
http://support.microsoft.com/default.aspx?scid=kb;en-us;298804
http://www.zensecurity.co.uk/default.asp?URL=personal
Download the free version of Sygate personal firewall
http://smb.sygate.com/support/documents/spf/default.htm
http://smb.sygate.com/download/download.php?pid=spf
Download the free version of ZoneAlarm firewall
http://www.zonelabs.com/store/content/company/zap_za_grid.jsp?lid=ho_za
Comparative reviews of personal firewall software:
http://www.firewallguide.com/software.htm
Firewall Product Selector - Choose yourself which one to compare
http://www.spirit.com/cgi-new/report.pl?dbase=fw&function=view
The Internet Connection Firewall Can Prevent Browsing and File Sharing
http://support.microsoft.com/default.aspx?scid=kb;en-us;298804
Spybot:
http://security.kolla.de/index.php
Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/
SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm
Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/
Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
http://security.kolla.de/index.php
Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/
SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm
Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/
Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://pestpatrol.com/Support/About/About_Ports_And_Trojans.asp - portlist
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html
Internet Storm Center - Input portnumber and press GO
http://isc.incidents.org/port_details.html?port=
IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/
http://pestpatrol.com/Support/About/About_Ports_And_Trojans.asp - portlist
List of known Trojan/Backdoors and the TCP/UDP ports on which they operate
http://www.onctek.com/trojanports.html
Internet Storm Center - Input portnumber and press GO
http://isc.incidents.org/port_details.html?port=
IPEye is a freeware TCP port scanner
http://www.ntsecurity.nu/toolbox/ipeye/
Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/
One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/
Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2
Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan
How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
http://scan.sygatetech.com/
One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/
Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2
Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan
How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Also remember to patch up with latest hotfixes...
About Windows Update (SUS)
http://v4.windowsupdate.microsoft.com/en/about.asp
Download and install Microsofts automatic update server (also known as SUS)
http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp
About Windows Update (SUS)
http://v4.windowsupdate.microsoft.com/en/about.asp
Download and install Microsofts automatic update server (also known as SUS)
http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp
ASKER
I just checked and auditing for success and failure of both "Account Logon" and "Logon" is turned on at all levels:
- Local Security Policy
- Domain Security Policy
- Domain Controller Security Policy
- Group Policy for organizational unit in which all users exist
When I run the event viewer (eventvwr) on the AD domain controller, I do not see *any* entries in the Security Log. All other logs have entries in them.
--> Daryl Shockey
- Local Security Policy
- Domain Security Policy
- Domain Controller Security Policy
- Group Policy for organizational unit in which all users exist
When I run the event viewer (eventvwr) on the AD domain controller, I do not see *any* entries in the Security Log. All other logs have entries in them.
--> Daryl Shockey
ASKER
I'm borderline psychotic about keeping up-to-date with service packs and hotfixes. While I certainly won't dismiss the possibility of it being a virus/trojan horse, the fact remains that I have no way of determining which machine contains the offending program because I have no log of when or where the bad login attempt occurred.
--> Daryl Shockey
--> Daryl Shockey
ASKER
I spoke too soon earlier. It turns out that I am now getting audit trails which I didn't get earlier. I'm not sure which setting worked (since I modified a few at the same time). But I can figure that part out now.
Thanx Petelong!
trywaredk: These are supposed to be meaningful dialogues. Your comment about the possiblity of it being a virus or trojan horse was good. The *really* extensive list of links that followed was not and would only frustrate somebody trying to enter into this thread. Please don't bomb threads with url lists like this. Make a web page that has all of these links and post one url to that web page.
--> Daryl Shockey
Thanx Petelong!
trywaredk: These are supposed to be meaningful dialogues. Your comment about the possiblity of it being a virus or trojan horse was good. The *really* extensive list of links that followed was not and would only frustrate somebody trying to enter into this thread. Please don't bomb threads with url lists like this. Make a web page that has all of these links and post one url to that web page.
--> Daryl Shockey
Thanks Daryl Glad You got there (Even if your not sure how)
Pete
Pete
>"Make a web page that has all of these links and post one url to that web page"
:o) What a great idea - thank you
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html
BTW: DSHOCKEY - Please comment here:
https://www.experts-exchange.com/questions/20947518/Points-for-DSJOCKEY-meaningful-dialogues.html
:o) What a great idea - thank you
http://www.tryware.dk/English/Knowledgebase/HowToProtectYourComputer.html
BTW: DSHOCKEY - Please comment here:
https://www.experts-exchange.com/questions/20947518/Points-for-DSJOCKEY-meaningful-dialogues.html
Maybe you are being troubled by virus/spyware/trojans/back
Protect yourself with a solid solution
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open