?
Solved

Why would an employee export the security event log?

Posted on 2015-01-20
3
Medium Priority
?
18 Views
Last Modified: 2016-06-23
Long story but an employee left today and they were mucking around on their computer before they left (mid working shift). We could see that via their email log that they exported their Security Event log just before they left the office. They apparently erased their Internet history.

I don't know why someone would be interested in the security log. They didn't wipe it from their computer either so we were able to go in and just look at it.

Now I don't use the security log really at all (so I don't know much about reading it) but it seems there's events in there (such as that below) that mention other users who have NEVER logged on to that PC.

Special privileges assigned to new logon.

Subject:
      Security ID:            S-1-5-21-21086547-2992122978-1601556566-1173
      Account Name:            Other.User
      Account Domain:            DOMAIN
      Logon ID:            0x1DC7139

Privileges:            SeSecurityPrivilege
                  SeBackupPrivilege
                  SeRestorePrivilege
                  SeTakeOwnershipPrivilege
                  SeDebugPrivilege
                  SeSystemEnvironmentPrivilege
                  SeLoadDriverPrivilege
                  SeImpersonatePrivilege


The other bizarre thing is that the user is able to right click the event viewer and 'connect to another computer'. It successfully connects to the SBS box and the SBS logs can be read. Is that normal? I've confirmed that the user is not apart of any domain administrators group.

Any clarification on this would be great.

Thanks
0
Comment
Question by:Talds_Alouds
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 2000 total points
ID: 40562037
Security Logs on a local pc are pretty much useless. If they got the security logs from a domain controller this is another story. Even if they did get the security logs from a DC (if they had access) this there most they would be able to get out of them are usernames.

Passwords are not stored or transmitted in the security logs (they are stored in the SAM database) so I would not worry about this.

Will.
0
 

Author Comment

by:Talds_Alouds
ID: 40563135
Yeah I figured that was the case, it was just a bizarre thing to export and send to your private email address.

What about how he had the ability to connect to the server via mmc and view the DC logs? I've just logged in again as the user to make sure I wasn't seeing things and I can see all the server's event logs.

As well, why does the local security logs contain logs such as that in the OP that references 'other.user' where other.user has never logged on to that computer before...
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question