Solved

is it possible to log on to SBS server via local admin unauthorised?

Posted on 2014-10-01
3
277 Views
Last Modified: 2014-10-14
Hi, I am facing issues with a server where, every time I log on I am having to revert back to the domain to be able to logon.   When I have logged on in the past it has always defaulted to the domain\administrator so I enter the password and I am straight in.

recently when I then go to RDP back in, first of all I am getting randomly kicked off and secondly its as if there is another account that someone else is logging on to.  

I believe its not possible to have a local admin account on a DC but how do i check to see if someone is logging on to this server without authorisation, is there some logging software or a quick way to check logs etc?

I may just be being paranoid but when I last logged on there were some software that was open for auditing and I know I didn't open it and as far as I am aware or my client, nobody else has access..

Thoughts please?

Thanks

Chris
0
Comment
Question by:chrishoy-iis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 8

Expert Comment

by:Acosta Technology Services
ID: 40354494
Check the security log for event ID 528.  That is the event for a successful logon.  If the other user is using the same account as you (kicking you off the sessions) then this won't work, but a quick password change would probably fix that.
0
 
LVL 14

Accepted Solution

by:
Andy M earned 500 total points
ID: 40354496
Hi Chris

No, an SBS server is always a domain controller so there won't be any local accounts - only the domain accounts. The 'Administrator' account name (and also admin) is a common target for hacking attempts so depending on how strong your password is it may have been compromised.

In this instance I would firstly prevent internet access to the server.
Reset the administrator password to something stronger (or even better - setup a domain admin account with a different name and disable the administrator account - make sure any services run under the new account before doing so)
I would then run a full anti-virus and anti-spyware scan on the system, check for any new applications that may have been installed.
It would also be worth checking through your AD to see if any strange looking/unknown accounts have been setup which may be also used to allow access to the server.

To check on logins the first port of call would be the Security log in event viewer as any login is recorded in there. There is also many different auditing software available as well as some batch/vb scripts that can create a log of when users log on when run as part of a startup script.
0
 

Author Closing Comment

by:chrishoy-iis
ID: 40379318
Checked all of the above and now secure from future access by anybody else.

Thanks
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question