Solved

How track IP modifications on Windows 2000/XP

Posted on 2004-04-05
10
746 Views
Last Modified: 2013-12-04
Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

Thank you!
0
Comment
Question by:istvan_kope
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
10 Comments
 
LVL 12

Accepted Solution

by:
trywaredk earned 50 total points
ID: 10755776
Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300549

HOWTO: Enabling Local Auditing Policies on Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;252412

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10755885
You could also run this vbScript in your logonscript (CALL %systemroot%\system32\wscript.exe YourVbScriptName.vbs)


Option Explicit
On Error Resume Next
      Dim wshNetwork, oLocator, oService, sSql, oEnum, Item, i, sGetIpAddress, sComputerName, fso, fh, sLogFile

      Set wshNetwork = wScript.CreateObject("WScript.Network")
      sComputerName = wshNetwork.ComputerName

      Set fso = CreateObject("Scripting.FileSystemObject")
      Set oLocator = WScript.CreateObject("WbemScripting.SWbemLocator")
      Set oService = oLocator.ConnectServer(sComputerName)

      sSql = "Select IPAddress from Win32_NetworkAdapterConfiguration where IPEnabled=TRUE"

      On Error Resume Next
      Set oEnum = oService.ExecQuery(sSql)
      For Each Item in oEnum
            If Not IsNull(Item.IPAddress) Then
                  For i=LBound(Item.IPAddress) to UBound(Item.IPAddress)
                        sGetIpAddress = Item.IPAddress(i)
                  Next
            End If
      Next

      sLogFile="\\YourServerName\YourShareName\" & sComputerName & "." & sGetIpAddress & ".log"
      
      On Error Resume Next
      Set fh = fso.OpenTextFile(sLogFile, 8, True,0)                        '8=appending
      fh.Write Now & " ---->   " & sGetIpAddress & vbCrLf
      fh.Close

      Set wshNetwork = Nothing
      Set fso = Nothing
      Set fh = Nothing      
      Set oLocator = Nothing
      Set oService = Nothing
      Set oEnum = Nothing
0
 

Author Comment

by:istvan_kope
ID: 10757436
If the security audit is not enabled there is no way other log which can tell that the IP was changed? Is there a service which is restarted when the IP is changed?
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 12

Expert Comment

by:trywaredk
ID: 10758081
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{C5019ABF-2C77-40E0-B7E0-91A85C63A831}\Parameters\Tcpip]
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10758092
... and a lot more - search after your own ip-address in registry
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10759895
Your DHCP server will log what machines have what, on any given day. You'd need to save it's log's pretty regularly, probably daily. That is if your dhcp program supports logging, most do. Instead of a big long VBscript, you could issue a call to a batch file that ran "ipconfig" ... and save that to a text file. And as mentioned, the registry will keep that info handy, however it won't keep previous IP's logged anywhere.
-rich
0
 

Author Comment

by:istvan_kope
ID: 10763243
I don't want to know the IP address I just want to track if it was changed. So can you tell me which services are restarted when the IP is changed?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
ID: 10765255
Usually all the services are restarted...because typically to get a different ip, you reboot, or you issue a "release" and "renew" command to obtain a new IP (this is done during each reboot btw). An easy way to track is with a text file with the ip in it, and compare that txt file to the one taken the day before...

Again, the DHCP server will log what ip's are with what computer (at the very least what MAC address has what IP)
No service "NEEDS" restarted if you change the ip in windows. In linux, the Network service needs restarted usually.

Your Question:
Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

We've told you a few ways to track it. No it is not saved in the event log.
you could get a program that will notify you if an ip has changed: http://www.barefootinc.com/ipmonitor.htm
You could script Netstat to scan your subnet... http://www.techtv.com/screensavers/windowstips/story/0,24330,3348692,00.html
-rich
0
 

Author Comment

by:istvan_kope
ID: 10772071
Can you tell me how can I enable the security audit from the domain server on every workstation?
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10828560
Set the policy on the domain controller in the Organisational Unit, where the computers are

:o) Glad we could help you - thank you for the points

0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question