Solved

Computer access via Event Viewer question

Posted on 2004-10-08
4
154 Views
Last Modified: 2013-12-04
Hello,

There has been some strange activity lately on a network that I work on.  Upon looking at the security log in the Event Viewer, I have been noticing successful logon access from a couple of users to my machine even though they do not have the correct permissions to do so (this is set for admins only).  I looked at other machines in my workcenter and for some strange reason they have been accessed as well by the same users at the same date and time!  Is there a known trojan or spyware that would be doing something like this?  I contacted the two users in question and ran spysweeper on their machines and found nothing out of the norm other than the regular alexa, adclick, etc.  Anybody with a similar experience, please post.  Thanks!

/j
0
Comment
Question by:dev8
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
WerewolfTA earned 250 total points
ID: 12258411
Hi dev8,

As for your permissions, do you have both of these set to, say, only domain admins & local admins for your computer?

GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Access this computer from the network
GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Allow log on locally

In and of itself, as for showing up in the event logs of everyone else, I don't believe that's a big deal, unless something's changed as to the pattern, or as you said it's accompanied by strange activity.  Our XP workstations from the day we set them up, before they have time to get any spyware that's not from Microsoft, have always periodically tried to authenticate against all the other machines.  I'd guess that it's enumerating shares or resolving names to ip addresses, although I've never looked into it fully, too much else to do around here.

Do your workstations have strong admin passwords set up?  A lot of the big boys ship workstations with blank admin passwords (God knows why), which is why you can boot into Safe Mode without needing to enter a password.  There are certain to be exploits for that.

I have both of those settings set for just domain admins and builtin/admins, and my security log is full of failures.  I don't see any instances of any other computers authenticating into mine.  That's been my experience, for what it's worth.  Good luck!
0
 
LVL 2

Author Comment

by:dev8
ID: 12259064
Hello WerewolfTA ;)

Domain admins and local admins are set in the "Access this computer from the network" as well as the everyone group but they (everyone) have no active permissions set.  What is wierd is that I had a user try to map to my computer via run and a successful logon attempt showed up in Event Viewer even though they didnt map successfully.  I know this is something in the group policy but our AD group is not being too helpful in trying to fix this !  I know like you said that this might not be a big deal but I am just curious as to why this is happening.  Thanks for any more input you might have!

//j
0
 
LVL 2

Author Comment

by:dev8
ID: 12260016
A bit more info:

The event I am looking at has a successful 538 Event ID (which would be a successful logoff) for a particular user from my system.  I dont understand why this is happening on different machines from the same user at the same time!  Pretty wierd stuff....
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12264887
You can have a successful logon even if there is nothing a user can access.

If they attempt to connect to a machine and their credentials are valid they will successfully log on.  They may then immediately be denied access to any resources based on ACLs on those resources but they still have to authenticate (log on) before they can be denied access.

Dave Dietz
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now