Solved

Can I see who and when someone has logged onto a server or PC in the network

Posted on 2010-08-16
5
1,099 Views
Last Modified: 2013-12-04
hi all,

I have a new client who has a SBS2008 network, pretty straightforward setup, half a dozen workstations or so and remote access via Remote Web Workplace and RDP to the SBS box enabled.

the boss thinks that someone has accessed confidential information on the server from outside the network.  He suspects they have either connected to the server via RDP or another pc via RWW with his account or the administrator account and viewed documents in a shared folder on the server that are restricted to his logon and the admin logon.

He has asked me to find out what i can about any unauthorised remote access.   He wants to know if I can tell what IP addresses have accessed the server from outside (via RWW or RDP) or see what accounts have logged onto the server directly.  From what i know, there is very little logging enabled to be able to find out any of this information, is that correct?

nathan
0
Comment
Question by:natrat22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 33451458
The security event log will tell you some of the information you seek, but by default file access is not audited, so tryi8ng to find past accesses will simply not be possible. You can turn on auditing to catch future events, but it does come at a cost of system performance and HUGE log files, so ti should only be done on an as-needed basis. Basically if the boss things someone will do so again, you can turn on auditing for the select files s/he thinks will be accessed, and then turn it off again when you have completed the task.
But if s/he feels the damage has been done and just wants a historical view, if this was a default installation, it is simly too late. Not much will be discoverable.
-Cliff
 
0
 
LVL 6

Expert Comment

by:nettek0300
ID: 33451470
It depends on if someone set up logging or not.  All the logs you would need to see would be in the security section of the event viewer.  Depending on whether or not logging is turned on would depend on whether you would be able to see what you need.  You can set this up via group policy.  There are logs that are tagged as logon/logoff which is where you can see who logged on and off.  You just have to look carefully.  Another way to tell what computer is logging on is that typically when a computer connects via RDP, the server will try to setup the printers that are on the clients computer.  Delending on the OS version and print drivers, you can sometimes see errors in the system log where the printer setup failed.  It will list the computer device name in those logs.
0
 
LVL 9

Expert Comment

by:authen-tech
ID: 33451511
You may be able to access the event viewer (start/run/eventvwr) and go to the security tab.  It's a very basic log of who has successfully logged in and notes error's when people attempt to log in and provide the wrong password.  If you have an idea of when the alleged violation occurred, this might help.

Todd
0
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 33452123
If they came in through RWW, then there should be a record of it in the IIS Log files...
0
 
LVL 1

Author Closing Comment

by:natrat22
ID: 33526987
Thanks..
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question