Solved

Computer access via Event Viewer question

Posted on 2004-10-08
4
155 Views
Last Modified: 2013-12-04
Hello,

There has been some strange activity lately on a network that I work on.  Upon looking at the security log in the Event Viewer, I have been noticing successful logon access from a couple of users to my machine even though they do not have the correct permissions to do so (this is set for admins only).  I looked at other machines in my workcenter and for some strange reason they have been accessed as well by the same users at the same date and time!  Is there a known trojan or spyware that would be doing something like this?  I contacted the two users in question and ran spysweeper on their machines and found nothing out of the norm other than the regular alexa, adclick, etc.  Anybody with a similar experience, please post.  Thanks!

/j
0
Comment
Question by:dev8
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
WerewolfTA earned 250 total points
ID: 12258411
Hi dev8,

As for your permissions, do you have both of these set to, say, only domain admins & local admins for your computer?

GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Access this computer from the network
GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Allow log on locally

In and of itself, as for showing up in the event logs of everyone else, I don't believe that's a big deal, unless something's changed as to the pattern, or as you said it's accompanied by strange activity.  Our XP workstations from the day we set them up, before they have time to get any spyware that's not from Microsoft, have always periodically tried to authenticate against all the other machines.  I'd guess that it's enumerating shares or resolving names to ip addresses, although I've never looked into it fully, too much else to do around here.

Do your workstations have strong admin passwords set up?  A lot of the big boys ship workstations with blank admin passwords (God knows why), which is why you can boot into Safe Mode without needing to enter a password.  There are certain to be exploits for that.

I have both of those settings set for just domain admins and builtin/admins, and my security log is full of failures.  I don't see any instances of any other computers authenticating into mine.  That's been my experience, for what it's worth.  Good luck!
0
 
LVL 2

Author Comment

by:dev8
ID: 12259064
Hello WerewolfTA ;)

Domain admins and local admins are set in the "Access this computer from the network" as well as the everyone group but they (everyone) have no active permissions set.  What is wierd is that I had a user try to map to my computer via run and a successful logon attempt showed up in Event Viewer even though they didnt map successfully.  I know this is something in the group policy but our AD group is not being too helpful in trying to fix this !  I know like you said that this might not be a big deal but I am just curious as to why this is happening.  Thanks for any more input you might have!

//j
0
 
LVL 2

Author Comment

by:dev8
ID: 12260016
A bit more info:

The event I am looking at has a successful 538 Event ID (which would be a successful logoff) for a particular user from my system.  I dont understand why this is happening on different machines from the same user at the same time!  Pretty wierd stuff....
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12264887
You can have a successful logon even if there is nothing a user can access.

If they attempt to connect to a machine and their credentials are valid they will successfully log on.  They may then immediately be denied access to any resources based on ACLs on those resources but they still have to authenticate (log on) before they can be denied access.

Dave Dietz
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question