We help IT Professionals succeed at work.

Unauthorized user used admin account to clear log file, recovery possibe?

A Unauthorized user used admin account to clear log file after deleting some files.  Is it possible to back track user from the logoff event?
Comment
Watch Question

Brian PiercePhotographer
CERTIFIED EXPERT
Awarded 2007
Top Expert 2008

Commented:
The fact that the security log was cleared and by whom is recorded in the security log.
Bill Tonkin, M.S.IT Manager

Author

Commented:
it was cleared by "administrator", 20 seconds or so before "administator" logged off.  only a few people are known to have the password, accounts lock after 5 failed attempts, & the password was 8 nmbers, letters, & symbols.  all I have is the Client Logon ID as declared in the logoff event.
Photographer
CERTIFIED EXPERT
Awarded 2007
Top Expert 2008
Commented:
If the "administrator" account is being used then there is no way to tell who logged in as administrator. You should really not use the "administrator" account and disable it. Each admin should be given their own account with administrator privilages - that way you can track who does what.
Bill Tonkin, M.S.IT Manager

Author

Commented:
Yeah I know, and that is happening, but that was not the case a few days ago.  I was/am hoping it would be possible to track back to an IP from some other log file, such as the DC,
Brian PiercePhotographer
CERTIFIED EXPERT
Awarded 2007
Top Expert 2008

Commented:
The logoff event may indicate which PC was used, but even with that, tracking down which user will be impossible
CERTIFIED EXPERT

Commented:
Step 1. Change the administrator account password.
Then...
If only a few people are known to have the password, I would start by questioning them.
If it was someone intentionally trying to hack the box, then they may have cleared the log because of trying to cover their tracks. However, if that was the case, then the failed attempt lockout should have kicked in. So it's very likely that this was a person that knew the password.

As a follow-up to what KCTS mentioned, as a best practice, you should always rename the administrator account to something obscure, disable that account, and then create other admin accounts for each admin, with each of those accounts a member of the administrators group.
Bill Tonkin, M.S.IT Manager

Author

Commented:
The person had to have known tha pssword as it was a pretty good one. , but it has been disabled and renamed & pw changed.  but i'd still like to figure out where this came from.   if its not possible to back track it within the windows domain i guess i am SOL.
thx
CERTIFIED EXPERT

Commented:
If you had additional auditing turned on for specific events you may have been able to catch it, but then since the security log was cleared, even the auditing information would have been wiped.

You mentioned looking at a DC. So I'm assuming that this machine was not a DC. However, they were using the administrator account, which would have been local to the machine (unless you actually have a domain account called administrator).

If they logged in locally, then the DC would have no record.
Bill Tonkin, M.S.IT Manager

Author

Commented:
they logged on as domain\administrator, and the machine in question was a TS not a DC, on the DC i see they authentacted to the TS but it doesn't say the source IP, just the TS ip
Brian PiercePhotographer
CERTIFIED EXPERT
Awarded 2007
Top Expert 2008

Commented:
This is a question to which the answer is "you can't" - it works that way sometimes.

Commented:
Force accepted.
Vee_Mod
Community Support Moderator

Explore More ContentExplore courses, solutions, and other research materials related to this topic.