• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 269
  • Last Modified:

Unauthorized user used admin account to clear log file, recovery possibe?

A Unauthorized user used admin account to clear log file after deleting some files.  Is it possible to back track user from the logoff event?
0
Bill Tonkin, M.S.
Asked:
Bill Tonkin, M.S.
  • 4
  • 4
  • 2
  • +1
1 Solution
 
KCTSCommented:
The fact that the security log was cleared and by whom is recorded in the security log.
0
 
Bill Tonkin, M.S.IT ManagerAuthor Commented:
it was cleared by "administrator", 20 seconds or so before "administator" logged off.  only a few people are known to have the password, accounts lock after 5 failed attempts, & the password was 8 nmbers, letters, & symbols.  all I have is the Client Logon ID as declared in the logoff event.
0
 
KCTSCommented:
If the "administrator" account is being used then there is no way to tell who logged in as administrator. You should really not use the "administrator" account and disable it. Each admin should be given their own account with administrator privilages - that way you can track who does what.
0
Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

 
Bill Tonkin, M.S.IT ManagerAuthor Commented:
Yeah I know, and that is happening, but that was not the case a few days ago.  I was/am hoping it would be possible to track back to an IP from some other log file, such as the DC,
0
 
KCTSCommented:
The logoff event may indicate which PC was used, but even with that, tracking down which user will be impossible
0
 
dhoffman_98Commented:
Step 1. Change the administrator account password.
Then...
If only a few people are known to have the password, I would start by questioning them.
If it was someone intentionally trying to hack the box, then they may have cleared the log because of trying to cover their tracks. However, if that was the case, then the failed attempt lockout should have kicked in. So it's very likely that this was a person that knew the password.

As a follow-up to what KCTS mentioned, as a best practice, you should always rename the administrator account to something obscure, disable that account, and then create other admin accounts for each admin, with each of those accounts a member of the administrators group.
0
 
Bill Tonkin, M.S.IT ManagerAuthor Commented:
The person had to have known tha pssword as it was a pretty good one. , but it has been disabled and renamed & pw changed.  but i'd still like to figure out where this came from.   if its not possible to back track it within the windows domain i guess i am SOL.
thx
0
 
dhoffman_98Commented:
If you had additional auditing turned on for specific events you may have been able to catch it, but then since the security log was cleared, even the auditing information would have been wiped.

You mentioned looking at a DC. So I'm assuming that this machine was not a DC. However, they were using the administrator account, which would have been local to the machine (unless you actually have a domain account called administrator).

If they logged in locally, then the DC would have no record.
0
 
Bill Tonkin, M.S.IT ManagerAuthor Commented:
they logged on as domain\administrator, and the machine in question was a TS not a DC, on the DC i see they authentacted to the TS but it doesn't say the source IP, just the TS ip
0
 
KCTSCommented:
This is a question to which the answer is "you can't" - it works that way sometimes.
0
 
Vee_ModCommented:
Force accepted.
Vee_Mod
Community Support Moderator
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now