Computer access via Event Viewer question

Hello,

There has been some strange activity lately on a network that I work on.  Upon looking at the security log in the Event Viewer, I have been noticing successful logon access from a couple of users to my machine even though they do not have the correct permissions to do so (this is set for admins only).  I looked at other machines in my workcenter and for some strange reason they have been accessed as well by the same users at the same date and time!  Is there a known trojan or spyware that would be doing something like this?  I contacted the two users in question and ran spysweeper on their machines and found nothing out of the norm other than the regular alexa, adclick, etc.  Anybody with a similar experience, please post.  Thanks!

/j
LVL 2
dev8Asked:
Who is Participating?
 
WerewolfTACommented:
Hi dev8,

As for your permissions, do you have both of these set to, say, only domain admins & local admins for your computer?

GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Access this computer from the network
GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Allow log on locally

In and of itself, as for showing up in the event logs of everyone else, I don't believe that's a big deal, unless something's changed as to the pattern, or as you said it's accompanied by strange activity.  Our XP workstations from the day we set them up, before they have time to get any spyware that's not from Microsoft, have always periodically tried to authenticate against all the other machines.  I'd guess that it's enumerating shares or resolving names to ip addresses, although I've never looked into it fully, too much else to do around here.

Do your workstations have strong admin passwords set up?  A lot of the big boys ship workstations with blank admin passwords (God knows why), which is why you can boot into Safe Mode without needing to enter a password.  There are certain to be exploits for that.

I have both of those settings set for just domain admins and builtin/admins, and my security log is full of failures.  I don't see any instances of any other computers authenticating into mine.  That's been my experience, for what it's worth.  Good luck!
0
 
dev8Author Commented:
Hello WerewolfTA ;)

Domain admins and local admins are set in the "Access this computer from the network" as well as the everyone group but they (everyone) have no active permissions set.  What is wierd is that I had a user try to map to my computer via run and a successful logon attempt showed up in Event Viewer even though they didnt map successfully.  I know this is something in the group policy but our AD group is not being too helpful in trying to fix this !  I know like you said that this might not be a big deal but I am just curious as to why this is happening.  Thanks for any more input you might have!

//j
0
 
dev8Author Commented:
A bit more info:

The event I am looking at has a successful 538 Event ID (which would be a successful logoff) for a particular user from my system.  I dont understand why this is happening on different machines from the same user at the same time!  Pretty wierd stuff....
0
 
Dave_DietzCommented:
You can have a successful logon even if there is nothing a user can access.

If they attempt to connect to a machine and their credentials are valid they will successfully log on.  They may then immediately be denied access to any resources based on ACLs on those resources but they still have to authenticate (log on) before they can be denied access.

Dave Dietz
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.