Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How track IP modifications on Windows 2000/XP

Posted on 2004-04-05
10
Medium Priority
?
779 Views
Last Modified: 2013-12-04
Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

Thank you!
0
Comment
Question by:istvan_kope
  • 5
  • 3
  • 2
10 Comments
 
LVL 12

Accepted Solution

by:
trywaredk earned 150 total points
ID: 10755776
Enable and Apply Security Auditing in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300549

HOWTO: Enabling Local Auditing Policies on Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;252412

EMCO EventLog Audit collects the eventlog from the computers on the LAN, to a database
http://www.1000files.com/Utilities/Network/EMCO_EventLog_Audit_6132_Review.html

Cybersafe Centrax Log Analyst Named Essential Microsoft Windows 2000 Security Utility
http://www.cybersafe.com/centrax/cla1.html

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10755885
You could also run this vbScript in your logonscript (CALL %systemroot%\system32\wscript.exe YourVbScriptName.vbs)


Option Explicit
On Error Resume Next
      Dim wshNetwork, oLocator, oService, sSql, oEnum, Item, i, sGetIpAddress, sComputerName, fso, fh, sLogFile

      Set wshNetwork = wScript.CreateObject("WScript.Network")
      sComputerName = wshNetwork.ComputerName

      Set fso = CreateObject("Scripting.FileSystemObject")
      Set oLocator = WScript.CreateObject("WbemScripting.SWbemLocator")
      Set oService = oLocator.ConnectServer(sComputerName)

      sSql = "Select IPAddress from Win32_NetworkAdapterConfiguration where IPEnabled=TRUE"

      On Error Resume Next
      Set oEnum = oService.ExecQuery(sSql)
      For Each Item in oEnum
            If Not IsNull(Item.IPAddress) Then
                  For i=LBound(Item.IPAddress) to UBound(Item.IPAddress)
                        sGetIpAddress = Item.IPAddress(i)
                  Next
            End If
      Next

      sLogFile="\\YourServerName\YourShareName\" & sComputerName & "." & sGetIpAddress & ".log"
      
      On Error Resume Next
      Set fh = fso.OpenTextFile(sLogFile, 8, True,0)                        '8=appending
      fh.Write Now & " ---->   " & sGetIpAddress & vbCrLf
      fh.Close

      Set wshNetwork = Nothing
      Set fso = Nothing
      Set fh = Nothing      
      Set oLocator = Nothing
      Set oService = Nothing
      Set oEnum = Nothing
0
 

Author Comment

by:istvan_kope
ID: 10757436
If the security audit is not enabled there is no way other log which can tell that the IP was changed? Is there a service which is restarted when the IP is changed?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Expert Comment

by:trywaredk
ID: 10758081
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{C5019ABF-2C77-40E0-B7E0-91A85C63A831}\Parameters\Tcpip]
"IPAddress"=hex(7):30,00,2e,00,30,00,2e,00,30,00,2e,00,30,00,00,00,00,00

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10758092
... and a lot more - search after your own ip-address in registry
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10759895
Your DHCP server will log what machines have what, on any given day. You'd need to save it's log's pretty regularly, probably daily. That is if your dhcp program supports logging, most do. Instead of a big long VBscript, you could issue a call to a batch file that ran "ipconfig" ... and save that to a text file. And as mentioned, the registry will keep that info handy, however it won't keep previous IP's logged anywhere.
-rich
0
 

Author Comment

by:istvan_kope
ID: 10763243
I don't want to know the IP address I just want to track if it was changed. So can you tell me which services are restarted when the IP is changed?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 150 total points
ID: 10765255
Usually all the services are restarted...because typically to get a different ip, you reboot, or you issue a "release" and "renew" command to obtain a new IP (this is done during each reboot btw). An easy way to track is with a text file with the ip in it, and compare that txt file to the one taken the day before...

Again, the DHCP server will log what ip's are with what computer (at the very least what MAC address has what IP)
No service "NEEDS" restarted if you change the ip in windows. In linux, the Network service needs restarted usually.

Your Question:
Do you know how can I track if the IP of a Windows workstation has been changed? Is it saved in the event log?

We've told you a few ways to track it. No it is not saved in the event log.
you could get a program that will notify you if an ip has changed: http://www.barefootinc.com/ipmonitor.htm
You could script Netstat to scan your subnet... http://www.techtv.com/screensavers/windowstips/story/0,24330,3348692,00.html
-rich
0
 

Author Comment

by:istvan_kope
ID: 10772071
Can you tell me how can I enable the security audit from the domain server on every workstation?
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10828560
Set the policy on the domain controller in the Organisational Unit, where the computers are

:o) Glad we could help you - thank you for the points

0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question