Solved

Tracing computer log in.

Posted on 2006-10-20
8
721 Views
Last Modified: 2013-12-04
I had this workstation DDY0XS81 log on to the local administrtor account of 11 out of 75 domian computers on the same subnet within 3 minutes. The workstation named is not a member of the domain. There was no other activity that raised any red flags such as any failed log in attempts beforehand. The event log entry shown below shows no IP address to trace the computer back to. Help!

Successful Network Logon:
       User Name:      Administrator
       Domain:            ADMINSEC2
       Logon ID:            (0x0,0x1EC7FB)
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      DDY0XS81
       Logon GUID:      {00000000-0000-0000-0000-000000000000}
0
Comment
Question by:mikegaston3127
8 Comments
 
LVL 7

Expert Comment

by:Chatable
ID: 17777072
I'm not sure if there's anything you can do now about this past event but you may want to set up an IDS and/or other monitoring tools for the next time it happens.
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17777670
as mentioned an IDS is your only option as of now for future occurances. Most likly someone ran a password cracker on a machine to find the admin password, then executed some script to connect to admin shares.

I would run a script to change your local admin passwords. Then run an IDS to see if it happens again.

This is where bios security comes into play. password protect the bios and disable booting to floppy, cdroms as well as usb devices.
0
 
LVL 9

Expert Comment

by:bigjimbo813
ID: 17777680
another measure is to disable all local admin accounts. Have only specified domain groups in the local admin group.
0
 
LVL 7

Expert Comment

by:Chatable
ID: 17778044
bigjimbo813 - I don't think the local admin account can be disabled, and even if it can it's not recommended. You never know when your DC's gonna crash leaving you with no way of accessing your computers.
I believe the solution to avoid such cases is simply use a really strong password for the admin accounts - and a different one for each computer (since getting the admin password of the local machine is easy if you know how). If you insist you can also rename the administrator account - however this is only good in a non-domain envrionment since any domain user can get the user list of every computer in the domain.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 16

Expert Comment

by:legalsrl
ID: 17779317
Are you running a wifi network ?

If so, I'd change the Security codes on the Wifi network.

Why can't you ping the workstation to resolve the name to it's IP address ?  It's got the name registered, so presumably the DNS Server will know what IP address it has, or even look at the DHCP server to see it's MAC address, then use MAC address filtering to block it from the network.

Cheers
Si
0
 
LVL 9

Assisted Solution

by:bigjimbo813
bigjimbo813 earned 200 total points
ID: 17781198
how to disable local admin accounts:

How to Disable the Local Administrator Account on Windows XP
Note Before you disable the local Administrator account, make sure that there is at least one other local or network user who can gain access to the computer with administrator permissions. Otherwise, you will not be able to reverse this action in the future.
1.      Log on as Administrator, or as a user with administrator permissions.
2.      Right-click My Computer, and then click Manage.
3.      In the left pane, expand the Local Users and Groups node, and then click Users.
4.      In the right pane, double-click the Administrator account.
5.      On the General tab, select the Account is disabled check box, and then click OK.
6.      Quit the Computer Management console. The new setting take effect the next time you attempt to log on to this computer.

How to Deny Access to the Local Administrator on Windows 2000
In Windows 2000, you cannot disable built-in accounts. However, you can deny access to the local Administrator account by modifying the local security settings.

Note: Before you follow these steps, make sure that there is at least one other local or network user who can gain access to the computer with administrator permissions.
1.      Log on as Administrator, or as a user with administrator permissions.
2.      Clicking Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
3.      In the left pane, expand the Local Policies node, and then click User Rights Assignment.
4.      In the right pane, double-click Deny access to this computer from the network.
5.      In Local Security Policy Setting, click Add.
6.      In the Users and Groups box, click the Administrator account, and then click Add.
7.      Click OK, click OK, and then quit the Local Security Settings console. You must restart your computer for the new security setting to take effect.

http://support.microsoft.com/kb/281140
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 300 total points
ID: 17786276
This box could of been a Linux box, a rouge windows laptop, a wireless "vampire" leaching on your network. There are tools that can help, and procedures and protocols to help prevent this in the future. Logon type 3 however is a share or printer connection.
===========================
Logon Type 3 – Network
Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.)
http://www.windowsecurity.com/articles/Logon-Types.html
===========================
The local admin account can be disabled, I dont' think it's necessary. Rename the local admin accounts, and use different passwords for each local admin account if possible.

Rouge PC/Laptop prevention, 802.1x http://www.microsoft.com/technet/community/columns/secmgmt/sm0805.mspx
The draw back is that most printers or hubs don't understand 802.1x and if a Lt is plugged into a port where the printer was, 802.1x is not a factor. Some printers do support it, as well as being joined to the domain!
IDS such as snort, and or a program like GFI's SELM and or Snare to monitor event log's in real time to alert you of this sort of thing
http://www.gfi.com/lanselm/  http://www.intersectalliance.com/projects/index.html
Windows event logs do not log IP's, but machine names, if present, Samba allows you to have no name, and windows I think will allow your PC to be named " " (spacebar, whitespace)
XP Pro's and 2003 keep IP log's however, you can simply open the firewall, advanced, security logging choose settings, and check-mark log successful connections.
-rich
0
 

Author Comment

by:mikegaston3127
ID: 17792041
The computer was a new install that my tech was installing network printers on. The name threw me as we had re-named it during the domain join. Not sure why it kept the ID after the join. Thanks for all the help.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now