Not authorized internal accesses on my pc

Dear *,

at my work place I'm working within a LAN (behind firewall). It seems to me that someone internal (but not authorized) has violated my pc, entering with the admin password (stolen somewhere..). I do not know this password since I'm not the administrator, normally I login with other user privileges.

I'd like to know a method to proof this violation, to reveal past accesses to my machine (logs) possibly only using the command line (I cannot easily install new security detection programs on my pc).

Once I get the IPs that accessed my machine, how can I resolve the name of those machines (i.e. how can I identify the username corresponding to that IP within our LAN) ?
I've just tried to deal with the 'netstat' command but I'd like more suggestions from you.

Sorry for these very easy questions but I'm quite new to security issues ...

My pc is running WinXP while the machine that maybe accessed mine could run either Win or Linux (don't know).

Moreover could you please suggest me an easy and daily method to check for external not authorized accesses to my pc?


Thanks a lot and Best Regards,
Irene
new_ireneAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rindiCommented:
If you don't have administrative rights yourself, you can't proof anything... You'd have to get your IT department to monitor remote accesses to your PC for you.
0
new_ireneAuthor Commented:
Hi rindi and thanks for answering,

I've asked for administrative rights and I have them now (simply I should not know the admin password, they allow me to log in as administrator).
So what could I do with admin rights?
0
rindiCommented:
If you are running XP Pro (this doesn't work on home), start mmc from the run command, then in the tool that opens up select "File", "Add/Remove Snap-in". Now in the next window click on "Add", then select "Group Policy Object Editor". again select "Add", then use "Local Computer" and "finish".

Click on "Close", then on "OK". Now in the resulting window select this new object click yourself through to Computer configuration, Windows Settings, Security Settings, Local Policies, Audit Policy. In here you can now set how your eventlogs should log events, just doubleclick the object you want to change the logs for and select what events it should log, like for "Audit Logon Events", then check "Success" and "Failure". Any logon attempts should now be viewable in the eventviewer. Inside the eventviewer set the eventlogs to rotate in such a way that logs are kept for, lets say 2 or three days. This will ensure that no one can delete the logs without you noticing (you can only delete the complete log, not individual events, so you should have your successfull logins in there. If your last logins aren't there, someone was in your system and deleted the logs. Otherwise you should now also see someone elses logon attempts.

You can also download and try ethereal, a network analyzer which might help you monitor neetwork access to your PC, but it isn't simple to use, make sure you read the instructions.

http://www.ethereal.com/


0
new_ireneAuthor Commented:
Thanks rindi for your suggestions.
Could you also explain me why in the Eventviewer I see all the events for 'Application' and 'System' categories (I mean, they go back in years..) while in the 'Security' category I can only see events of today and of one day in 2004...

Moreover... if the 'thief' regularly login on my account as administrator the only way to proof it was not me is the computer name, isn't it?

Thanks and Best Regards,
Irene
0
rindiCommented:
If you right click and select "properties" on the eventlog of security (and also the other sections) you can set how the logs should be kept. These settings are probably different for the different sections. Possible selections are overwrite events as needed, overwrite events older than (number of days and Do not overwrite events. The last option will eventually fill up your computer if you don't regularly clear the logs yourself, I never use that option.

You can make records of the times when you are logging in and off again. If you can see different succesfull logon times, there's a "thief" accessing your PC. Or if the security event is empty, and you set it to overwrite events all 7 days, and even your successful logons from less than 7 days don't show, a thief probably was in the system and cleared the log after exiting.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.