Solved

Computer access via Event Viewer question

Posted on 2004-10-08
4
153 Views
Last Modified: 2013-12-04
Hello,

There has been some strange activity lately on a network that I work on.  Upon looking at the security log in the Event Viewer, I have been noticing successful logon access from a couple of users to my machine even though they do not have the correct permissions to do so (this is set for admins only).  I looked at other machines in my workcenter and for some strange reason they have been accessed as well by the same users at the same date and time!  Is there a known trojan or spyware that would be doing something like this?  I contacted the two users in question and ran spysweeper on their machines and found nothing out of the norm other than the regular alexa, adclick, etc.  Anybody with a similar experience, please post.  Thanks!

/j
0
Comment
Question by:dev8
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
WerewolfTA earned 250 total points
ID: 12258411
Hi dev8,

As for your permissions, do you have both of these set to, say, only domain admins & local admins for your computer?

GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Access this computer from the network
GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Allow log on locally

In and of itself, as for showing up in the event logs of everyone else, I don't believe that's a big deal, unless something's changed as to the pattern, or as you said it's accompanied by strange activity.  Our XP workstations from the day we set them up, before they have time to get any spyware that's not from Microsoft, have always periodically tried to authenticate against all the other machines.  I'd guess that it's enumerating shares or resolving names to ip addresses, although I've never looked into it fully, too much else to do around here.

Do your workstations have strong admin passwords set up?  A lot of the big boys ship workstations with blank admin passwords (God knows why), which is why you can boot into Safe Mode without needing to enter a password.  There are certain to be exploits for that.

I have both of those settings set for just domain admins and builtin/admins, and my security log is full of failures.  I don't see any instances of any other computers authenticating into mine.  That's been my experience, for what it's worth.  Good luck!
0
 
LVL 2

Author Comment

by:dev8
ID: 12259064
Hello WerewolfTA ;)

Domain admins and local admins are set in the "Access this computer from the network" as well as the everyone group but they (everyone) have no active permissions set.  What is wierd is that I had a user try to map to my computer via run and a successful logon attempt showed up in Event Viewer even though they didnt map successfully.  I know this is something in the group policy but our AD group is not being too helpful in trying to fix this !  I know like you said that this might not be a big deal but I am just curious as to why this is happening.  Thanks for any more input you might have!

//j
0
 
LVL 2

Author Comment

by:dev8
ID: 12260016
A bit more info:

The event I am looking at has a successful 538 Event ID (which would be a successful logoff) for a particular user from my system.  I dont understand why this is happening on different machines from the same user at the same time!  Pretty wierd stuff....
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12264887
You can have a successful logon even if there is nothing a user can access.

If they attempt to connect to a machine and their credentials are valid they will successfully log on.  They may then immediately be denied access to any resources based on ACLs on those resources but they still have to authenticate (log on) before they can be denied access.

Dave Dietz
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now