• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 114
  • Last Modified:

Windows Server 2008 Security

Hi,

I saw one user account name  in C:\users folder in Windows Server 2008 R2.

The user does not have any privileges to log on to the server as the user is not the administrator or member of domain admins or enterprise admins. We are running AD 2003. I also checked the remote access is not granted to the user.

So How can the user logon to the server?

Thanks,

Raj.
0
Roger38
Asked:
Roger38
1 Solution
 
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
Is there a service running under that user account?  Is Terminal Services enabled on this server and the user is allowed RDP access?  What is the date on the folder (create date and last modified date)?

Expand Registry key HKEY_USERS and look at the SIDs (these SIDs correspond to the users who have a profile on this computer).  See if one othe SIDs matches the user's SID.
0
 
Roger38Author Commented:
The user is not allowed RDP into the server and the date on the folder is 1-15-2015.

Seems like the user found a way around to logon to the server.

How can I verify and prevent this?
0
 
rindiCommented:
It could be a local user account, and not a domain account. So maybe he logged on to the local server bypassing the domain.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
Roger38Author Commented:
No, Its not a local user account. Its a domain account.
0
 
Marc LSenior Infrastructure EngineerCommented:
Have you verified your security policy on the server (Secpol.msc>Local Policies>User Rights Assignment) for the values 'Allow log on locally', 'log on as a batch job', 'log on as a service' and 'Allow log on through Remote Desktop Services', that the user is not listed or in a group that is listed?

Also, have you reviewed your security logs, and found the actually logon event, that should give you more information.
0
 
Roger38Author Commented:
Have you verified your security policy on the server (Secpol.msc>Local Policies>User Rights Assignment) for the values 'Allow log on locally', 'log on as a batch job', 'log on as a service' and 'Allow log on through Remote Desktop Services', that the user is not listed or in a group that is listed?

I looked into it. All Clear. No indication of ant rights to this user.

Also, have you reviewed your security logs, and found the actually logon event, that should give you more information.

I tried that but those logs have been cleared because this is from Jan. 15, 2015 and there is a limit on the number of logs it retains.
0
 
rindiCommented:
Your comment you are accepting doesn't look like a solution to me. Why are you accepting that?
0
 
Roger38Author Commented:
Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now