Solved

is it possible to log on to SBS server via local admin unauthorised?

Posted on 2014-10-01
3
259 Views
Last Modified: 2014-10-14
Hi, I am facing issues with a server where, every time I log on I am having to revert back to the domain to be able to logon.   When I have logged on in the past it has always defaulted to the domain\administrator so I enter the password and I am straight in.

recently when I then go to RDP back in, first of all I am getting randomly kicked off and secondly its as if there is another account that someone else is logging on to.  

I believe its not possible to have a local admin account on a DC but how do i check to see if someone is logging on to this server without authorisation, is there some logging software or a quick way to check logs etc?

I may just be being paranoid but when I last logged on there were some software that was open for auditing and I know I didn't open it and as far as I am aware or my client, nobody else has access..

Thoughts please?

Thanks

Chris
0
Comment
Question by:chrishoy-iis
3 Comments
 
LVL 8

Expert Comment

by:Acosta Technology Services
ID: 40354494
Check the security log for event ID 528.  That is the event for a successful logon.  If the other user is using the same account as you (kicking you off the sessions) then this won't work, but a quick password change would probably fix that.
0
 
LVL 13

Accepted Solution

by:
Andy M earned 500 total points
ID: 40354496
Hi Chris

No, an SBS server is always a domain controller so there won't be any local accounts - only the domain accounts. The 'Administrator' account name (and also admin) is a common target for hacking attempts so depending on how strong your password is it may have been compromised.

In this instance I would firstly prevent internet access to the server.
Reset the administrator password to something stronger (or even better - setup a domain admin account with a different name and disable the administrator account - make sure any services run under the new account before doing so)
I would then run a full anti-virus and anti-spyware scan on the system, check for any new applications that may have been installed.
It would also be worth checking through your AD to see if any strange looking/unknown accounts have been setup which may be also used to allow access to the server.

To check on logins the first port of call would be the Security log in event viewer as any login is recorded in there. There is also many different auditing software available as well as some batch/vb scripts that can create a log of when users log on when run as part of a startup script.
0
 

Author Closing Comment

by:chrishoy-iis
ID: 40379318
Checked all of the above and now secure from future access by anybody else.

Thanks
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
AD FSMO Issues 14 62
Cheap SSL Certificates 3 55
Sync Azure AD to a local AD Server 4 33
Windows 10 VPN? 6 42
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now