• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 301
  • Last Modified:

Logging Server Shutdown

There is a user on the network that has been shutting down the server. I have been asked to find out who that user is. Users access the server via PCAnywhere and Terminal Services. How can I log the server activity so that I can report as to which users is initiating the server shutdown.

After this is determined I will define security policy to disable remote shutdown etc.. but for now the admin requires that we report as to whom is shutting down server.

Thanks,
AY
0
arshaadyar03
Asked:
arshaadyar03
  • 5
  • 3
  • 2
  • +3
5 Solutions
 
blurterboyCommented:
Hi, Have you tried auditing System events in the locl security policy.
BB
0
 
arshaadyar03Author Commented:
Yes I have tried that but there is no way to specify logging of server shutdown. You can audit server logon and can set permissions for what groups/users have the right to shutdown.

P.S. I also need to log their remote access via PCAnywhere and Terminal Services.
0
 
jonpaulrCommented:
AY,

pcAnywhe can use NT Authentication for access, then when the user log  in, it will be shown in the Event Log - Security (if you have Audit account logon events enabled since Microsoft doesn't enable it by default). With this enabled Term Services should show up as well. You can simultaneously enable auditing of system events and then you will know when the server went down.

Take a look at these 2 links:

http://www.itc.virginia.edu/microsys/guidelines/sg_policies.htm#Auditing

http://networking.earthweb.com/netos/article.php/624921

All the best,

JP
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
arshaadyar03Author Commented:
Thanks for the Feedback JP I will try this in the morning and advise on the outcome.

0
 
JamesDSCommented:
arshaadyar03

Everything you need will be in the security event logs once configured

This link explains how to set up your logging: http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx

You need to switch on auditing of Privilege Use.

You are looking for Event IDs 577 and 578 with user right SeRemoteShutdownPrivilege or SeShutdownPrivilege access privilege indicated. The SID the user right is assigned to is included in the event details.

Privilege Use makes you logs grow quickly so make sure they have plenty of space to grow and that you check them regularly.

Cheers

JamesDS
0
 
oBdACommented:
You can disable the permission to shutdown the server for regular users, either with the local security policy, or with a group policy for the systems in question.
For a Group Policy, it's under Computer Configuration\Windows Configuration\Security Settings\Local Policies\User Permissions: System Shutdown (or similar, I'm not using an English version). For a local policy (secpol.msc), it obviously starts at \Local Policies\...
0
 
RevelationCSCommented:
we have w2k servers running with pcAnywhere on them and everything is logged in the event viewer. To see who is shutting down the server, look at the security log... this is taking into account, however, that you dont have pcAnywhere open to access by all users without entering in any authentication information. Usually, most people will have it set to use NT Authentication and grant access to the users/groups that need access to the machine...
0
 
RevelationCSCommented:
we have w2k servers running with pcAnywhere on them and everything is logged in the event viewer. To see who is shutting down the server, look at the security log... this is taking into account, however, that you dont have pcAnywhere open to access by all users without entering in any authentication information. Usually, most people will have it set to use NT Authentication and grant access to the users/groups that need access to the machine...
0
 
RevelationCSCommented:
also, on another note, to verify when the server was shutdown, you should see events in the event viewer for the shutdown.. usually there is an event id of 6006 with the description of "The Eventlog service was stopped" just before the system shuts down or restarts....
0
 
RevelationCSCommented:
(I apologize for the double post there, IE seemed to have gone bizerk on me :) )
0
 
arshaadyar03Author Commented:
Thanks to you all. I have set up the approprate auditing paramaters and have tested. Now I just need to wait for the user to attempt a shutdown.

Thanks Again,
Arsshaad
0
 
jonpaulrCommented:
GL! Hopefully the links/instructions I send last night did the job. -JP
0
 
RevelationCSCommented:
my recommendation would be a split of the points....
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now