?
Solved

Logging Server Shutdown

Posted on 2004-04-25
16
Medium Priority
?
296 Views
Last Modified: 2010-04-12
There is a user on the network that has been shutting down the server. I have been asked to find out who that user is. Users access the server via PCAnywhere and Terminal Services. How can I log the server activity so that I can report as to which users is initiating the server shutdown.

After this is determined I will define security policy to disable remote shutdown etc.. but for now the admin requires that we report as to whom is shutting down server.

Thanks,
AY
0
Comment
Question by:arshaadyar03
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2
  • +3
16 Comments
 

Accepted Solution

by:
blurterboy earned 400 total points
ID: 10915043
Hi, Have you tried auditing System events in the locl security policy.
BB
0
 
LVL 1

Author Comment

by:arshaadyar03
ID: 10915071
Yes I have tried that but there is no way to specify logging of server shutdown. You can audit server logon and can set permissions for what groups/users have the right to shutdown.

P.S. I also need to log their remote access via PCAnywhere and Terminal Services.
0
 
LVL 2

Assisted Solution

by:jonpaulr
jonpaulr earned 400 total points
ID: 10915243
AY,

pcAnywhe can use NT Authentication for access, then when the user log  in, it will be shown in the Event Log - Security (if you have Audit account logon events enabled since Microsoft doesn't enable it by default). With this enabled Term Services should show up as well. You can simultaneously enable auditing of system events and then you will know when the server went down.

Take a look at these 2 links:

http://www.itc.virginia.edu/microsys/guidelines/sg_policies.htm#Auditing

http://networking.earthweb.com/netos/article.php/624921

All the best,

JP
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 1

Author Comment

by:arshaadyar03
ID: 10915283
Thanks for the Feedback JP I will try this in the morning and advise on the outcome.

0
 
LVL 16

Assisted Solution

by:JamesDS
JamesDS earned 400 total points
ID: 10915921
arshaadyar03

Everything you need will be in the security event logs once configured

This link explains how to set up your logging: http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx

You need to switch on auditing of Privilege Use.

You are looking for Event IDs 577 and 578 with user right SeRemoteShutdownPrivilege or SeShutdownPrivilege access privilege indicated. The SID the user right is assigned to is included in the event details.

Privilege Use makes you logs grow quickly so make sure they have plenty of space to grow and that you check them regularly.

Cheers

JamesDS
0
 
LVL 85

Assisted Solution

by:oBdA
oBdA earned 400 total points
ID: 10916187
You can disable the permission to shutdown the server for regular users, either with the local security policy, or with a group policy for the systems in question.
For a Group Policy, it's under Computer Configuration\Windows Configuration\Security Settings\Local Policies\User Permissions: System Shutdown (or similar, I'm not using an English version). For a local policy (secpol.msc), it obviously starts at \Local Policies\...
0
 
LVL 8

Assisted Solution

by:RevelationCS
RevelationCS earned 400 total points
ID: 10920357
we have w2k servers running with pcAnywhere on them and everything is logged in the event viewer. To see who is shutting down the server, look at the security log... this is taking into account, however, that you dont have pcAnywhere open to access by all users without entering in any authentication information. Usually, most people will have it set to use NT Authentication and grant access to the users/groups that need access to the machine...
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 10920358
we have w2k servers running with pcAnywhere on them and everything is logged in the event viewer. To see who is shutting down the server, look at the security log... this is taking into account, however, that you dont have pcAnywhere open to access by all users without entering in any authentication information. Usually, most people will have it set to use NT Authentication and grant access to the users/groups that need access to the machine...
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 10920386
also, on another note, to verify when the server was shutdown, you should see events in the event viewer for the shutdown.. usually there is an event id of 6006 with the description of "The Eventlog service was stopped" just before the system shuts down or restarts....
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 10920406
(I apologize for the double post there, IE seemed to have gone bizerk on me :) )
0
 
LVL 1

Author Comment

by:arshaadyar03
ID: 10920444
Thanks to you all. I have set up the approprate auditing paramaters and have tested. Now I just need to wait for the user to attempt a shutdown.

Thanks Again,
Arsshaad
0
 
LVL 2

Expert Comment

by:jonpaulr
ID: 10920501
GL! Hopefully the links/instructions I send last night did the job. -JP
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 12324315
my recommendation would be a split of the points....
0

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The Summer 2017 Scholarship Winners have been announced!
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question