security audit

Discussion in 'Server Security' started by aurimas, Apr 3, 2009.

  1. aurimas

    aurimas Guest

    Hi,

    we need to audit users activity on particular camputers. Lets say I have an
    incident for the particular computer. I know it's IP, from DNS I can found
    uot its name. But what else I need is to find users who was using that
    computer during some time. I have enabled "Audit account logon events" in GPO
    on my Defoult domain Controllers Policy, but I cant see users account that
    used that computer. This is my security log in DC:


    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 2009.03.30
    Time: 13:44:12
    User: DARBUOT\UKK-MK-01704$
    Computer: MRUCDDC01
    Description:
    Successful Network Logon:
    User Name: UKK-MK-01704$
    Domain: DARBUOT
    Logon ID: (0x0,0x12A56E4A)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: {5648b24a-aa61-db67-cdfe-b0258417e4c3}
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 192.168.32.14
    Source Port: 0


    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.

    thank you for help,
    Aurimas
     
    aurimas, Apr 3, 2009
    #1
    1. Advertisements

  2. aurimas

    aurimas Guest

    any ideas ?
    thanks
     
    aurimas, Apr 14, 2009
    #2
    1. Advertisements

  3. Meinolf Weber [MVP-DS], Apr 14, 2009
    #3
  4. aurimas

    aurimas Guest

    thank you Meinolf for information,

    I am affraid about security because user will have write access to this
    file. Whatactually i nned is:


    I enabled "Audit account logon events" on my DCs. I am colected events from
    DCs to SCOM audit databases. How can I get information about user logon
    activity on specific PC. Microsoft say that event 672 (ticket log) does not
    guaranty successful user logon so as i undesrtand you need to look at 673
    (service ticket log) event, else if authentication is used by NTML I need to
    look to event 680, so where finally I have to look ?

    Using "Forensic_-_All_Events_For_Specified_Computer" I get just information
    for my DCs and not for PC's that user was loged on?

    So is there any easy way to get user logon activity on PC?

    thanks
    aurimas
     
    aurimas, Apr 28, 2009
    #4
  5. Hello aurimas,

    If you use the link in my previous posting, read it and run the script you
    get the information.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 28, 2009
    #5
  6. aurimas

    aurimas Guest

    Hello, Meinolf,

    using this script during user logon we have to give him write permissions on
    that script and this is big security issue, so thats why using security is
    better, but i can not find right events to track logon activity in computers,

    aurimas
     
    aurimas, Apr 29, 2009
    #6
  7. Hello aurimas,

    The user needs right permission to a folder defined in the script where you
    can save all the output's. Not to the script itself, so if you create a hidden
    share the user wan't see or find it.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Apr 29, 2009
    #7
  8. aurimas

    Venkatesh Guest

    Venkatesh, May 7, 2009
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.