Solved

Computer access via Event Viewer question

Posted on 2004-10-08
4
156 Views
Last Modified: 2013-12-04
Hello,

There has been some strange activity lately on a network that I work on.  Upon looking at the security log in the Event Viewer, I have been noticing successful logon access from a couple of users to my machine even though they do not have the correct permissions to do so (this is set for admins only).  I looked at other machines in my workcenter and for some strange reason they have been accessed as well by the same users at the same date and time!  Is there a known trojan or spyware that would be doing something like this?  I contacted the two users in question and ran spysweeper on their machines and found nothing out of the norm other than the regular alexa, adclick, etc.  Anybody with a similar experience, please post.  Thanks!

/j
0
Comment
Question by:dev8
  • 2
4 Comments
 
LVL 4

Accepted Solution

by:
WerewolfTA earned 250 total points
ID: 12258411
Hi dev8,

As for your permissions, do you have both of these set to, say, only domain admins & local admins for your computer?

GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Access this computer from the network
GPO\Computer Configuration\Windows Settings\Security Settings\Local Policies/User Rights Assignment\Allow log on locally

In and of itself, as for showing up in the event logs of everyone else, I don't believe that's a big deal, unless something's changed as to the pattern, or as you said it's accompanied by strange activity.  Our XP workstations from the day we set them up, before they have time to get any spyware that's not from Microsoft, have always periodically tried to authenticate against all the other machines.  I'd guess that it's enumerating shares or resolving names to ip addresses, although I've never looked into it fully, too much else to do around here.

Do your workstations have strong admin passwords set up?  A lot of the big boys ship workstations with blank admin passwords (God knows why), which is why you can boot into Safe Mode without needing to enter a password.  There are certain to be exploits for that.

I have both of those settings set for just domain admins and builtin/admins, and my security log is full of failures.  I don't see any instances of any other computers authenticating into mine.  That's been my experience, for what it's worth.  Good luck!
0
 
LVL 2

Author Comment

by:dev8
ID: 12259064
Hello WerewolfTA ;)

Domain admins and local admins are set in the "Access this computer from the network" as well as the everyone group but they (everyone) have no active permissions set.  What is wierd is that I had a user try to map to my computer via run and a successful logon attempt showed up in Event Viewer even though they didnt map successfully.  I know this is something in the group policy but our AD group is not being too helpful in trying to fix this !  I know like you said that this might not be a big deal but I am just curious as to why this is happening.  Thanks for any more input you might have!

//j
0
 
LVL 2

Author Comment

by:dev8
ID: 12260016
A bit more info:

The event I am looking at has a successful 538 Event ID (which would be a successful logoff) for a particular user from my system.  I dont understand why this is happening on different machines from the same user at the same time!  Pretty wierd stuff....
0
 
LVL 34

Expert Comment

by:Dave_Dietz
ID: 12264887
You can have a successful logon even if there is nothing a user can access.

If they attempt to connect to a machine and their credentials are valid they will successfully log on.  They may then immediately be denied access to any resources based on ACLs on those resources but they still have to authenticate (log on) before they can be denied access.

Dave Dietz
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question