Solved

Logging Server Shutdown

Posted on 2004-04-25
16
259 Views
Last Modified: 2010-04-12
There is a user on the network that has been shutting down the server. I have been asked to find out who that user is. Users access the server via PCAnywhere and Terminal Services. How can I log the server activity so that I can report as to which users is initiating the server shutdown.

After this is determined I will define security policy to disable remote shutdown etc.. but for now the admin requires that we report as to whom is shutting down server.

Thanks,
AY
0
Comment
Question by:arshaadyar03
  • 5
  • 3
  • 2
  • +3
16 Comments
 

Accepted Solution

by:
blurterboy earned 100 total points
Comment Utility
Hi, Have you tried auditing System events in the locl security policy.
BB
0
 
LVL 1

Author Comment

by:arshaadyar03
Comment Utility
Yes I have tried that but there is no way to specify logging of server shutdown. You can audit server logon and can set permissions for what groups/users have the right to shutdown.

P.S. I also need to log their remote access via PCAnywhere and Terminal Services.
0
 
LVL 2

Assisted Solution

by:jonpaulr
jonpaulr earned 100 total points
Comment Utility
AY,

pcAnywhe can use NT Authentication for access, then when the user log  in, it will be shown in the Event Log - Security (if you have Audit account logon events enabled since Microsoft doesn't enable it by default). With this enabled Term Services should show up as well. You can simultaneously enable auditing of system events and then you will know when the server went down.

Take a look at these 2 links:

http://www.itc.virginia.edu/microsys/guidelines/sg_policies.htm#Auditing

http://networking.earthweb.com/netos/article.php/624921

All the best,

JP
0
 
LVL 1

Author Comment

by:arshaadyar03
Comment Utility
Thanks for the Feedback JP I will try this in the morning and advise on the outcome.

0
 
LVL 16

Assisted Solution

by:JamesDS
JamesDS earned 100 total points
Comment Utility
arshaadyar03

Everything you need will be in the security event logs once configured

This link explains how to set up your logging: http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx

You need to switch on auditing of Privilege Use.

You are looking for Event IDs 577 and 578 with user right SeRemoteShutdownPrivilege or SeShutdownPrivilege access privilege indicated. The SID the user right is assigned to is included in the event details.

Privilege Use makes you logs grow quickly so make sure they have plenty of space to grow and that you check them regularly.

Cheers

JamesDS
0
 
LVL 82

Assisted Solution

by:oBdA
oBdA earned 100 total points
Comment Utility
You can disable the permission to shutdown the server for regular users, either with the local security policy, or with a group policy for the systems in question.
For a Group Policy, it's under Computer Configuration\Windows Configuration\Security Settings\Local Policies\User Permissions: System Shutdown (or similar, I'm not using an English version). For a local policy (secpol.msc), it obviously starts at \Local Policies\...
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 8

Assisted Solution

by:RevelationCS
RevelationCS earned 100 total points
Comment Utility
we have w2k servers running with pcAnywhere on them and everything is logged in the event viewer. To see who is shutting down the server, look at the security log... this is taking into account, however, that you dont have pcAnywhere open to access by all users without entering in any authentication information. Usually, most people will have it set to use NT Authentication and grant access to the users/groups that need access to the machine...
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
we have w2k servers running with pcAnywhere on them and everything is logged in the event viewer. To see who is shutting down the server, look at the security log... this is taking into account, however, that you dont have pcAnywhere open to access by all users without entering in any authentication information. Usually, most people will have it set to use NT Authentication and grant access to the users/groups that need access to the machine...
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
also, on another note, to verify when the server was shutdown, you should see events in the event viewer for the shutdown.. usually there is an event id of 6006 with the description of "The Eventlog service was stopped" just before the system shuts down or restarts....
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
(I apologize for the double post there, IE seemed to have gone bizerk on me :) )
0
 
LVL 1

Author Comment

by:arshaadyar03
Comment Utility
Thanks to you all. I have set up the approprate auditing paramaters and have tested. Now I just need to wait for the user to attempt a shutdown.

Thanks Again,
Arsshaad
0
 
LVL 2

Expert Comment

by:jonpaulr
Comment Utility
GL! Hopefully the links/instructions I send last night did the job. -JP
0
 
LVL 8

Expert Comment

by:RevelationCS
Comment Utility
my recommendation would be a split of the points....
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now