Sign in with
Sign up | Sign in
Your question

Security Event Log madness.

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
April 26, 2005 7:06:11 PM

Archived from groups: microsoft.public.win2000.security (More info?)

We've had a student in our school system delete a ton of files on
a server that were wide-open to students. The permissions allowed
students to delete files because Microsoft Office files need 'Delete'
permissions or they'll create the filename but the file will be empty.
The students have their own individual folder for saving files that
only they can access but most of the teachers had them using the
'open' folder. I recovered everything from our backup, but we don't
want to let this slide.
Anyway, I know the username of the student that deleted the
files. But, I need to determine the computer they did it from. I
know it's one of two computers. I have the security logs from both
domain controllers, the file server the files were deleted from and
the computers she logged in on. I see clearly in the log from the
file server that she deleted the files. But, it doesn't tell me what
computer the delete command was executed from. I don't see anything
in ANY of the other security logs that tells me what computer the
delete command came from.
I see events 540 & 576 in the log of one of the domain
controllers involving this user, but the 'Workstation Name' field is
blank in the 540 events. Surely to God above there is some way to
find out what computer she actually used, but I don't see anything in
any of these logs that tells me.
I need to know what computer she deleted the files from. Also,
if someone can point me to a good book or online resource that tells
me how to make sense of the event logs I would REALLY appreciate it.
Any light you can shed on this would be GREATLY appreciated.
Anonymous
a b 8 Security
April 28, 2005 6:11:07 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Nunya Beeswax wrote:
> We've had a student in our school system delete a ton of files on
> a server that were wide-open to students. The permissions allowed
> students to delete files because Microsoft Office files need 'Delete'
> permissions or they'll create the filename but the file will be empty.
> The students have their own individual folder for saving files that
> only they can access but most of the teachers had them using the
> 'open' folder. I recovered everything from our backup, but we don't
> want to let this slide.
> Anyway, I know the username of the student that deleted the
> files. But, I need to determine the computer they did it from. I
> know it's one of two computers. I have the security logs from both
> domain controllers, the file server the files were deleted from and
> the computers she logged in on. I see clearly in the log from the
> file server that she deleted the files. But, it doesn't tell me what
> computer the delete command was executed from. I don't see anything
> in ANY of the other security logs that tells me what computer the
> delete command came from.
> I see events 540 & 576 in the log of one of the domain
> controllers involving this user, but the 'Workstation Name' field is
> blank in the 540 events. Surely to God above there is some way to
> find out what computer she actually used, but I don't see anything in
> any of these logs that tells me.
> I need to know what computer she deleted the files from. Also,
> if someone can point me to a good book or online resource that tells
> me how to make sense of the event logs I would REALLY appreciate it.
> Any light you can shed on this would be GREATLY appreciated.

Do you know when the files were deleted? If so you could run the
eventcomb tool (free from somewhere on microsoft.com) to run over the
event logs which should tell you which machine they were on.

BTW, why do you need to know which workstation it was? If you got her
bang to rights why do you need to know where it was done from.
Anonymous
a b 8 Security
April 28, 2005 7:22:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I know that it was her username that deleted the files. But, she
was logged onto two computers at the same time. She claims that a
friend was using one of the computers logged in under her username
(students have been told repeatedly not to do that) and that the
friend was supposed to log her off. So, even though I know it was her
username, I need to know the computer it was done on. There is a
camera that shows these computers. So, if I know what computer she
or her friend, was on, they can't deny it. Right now, they can blame
it on each other.

On Thu, 28 Apr 2005 14:11:07 +0100, andy smart
<anonymus@discussions.microsoft.com> wrote:

>Nunya Beeswax wrote:
>> We've had a student in our school system delete a ton of files on
>> a server that were wide-open to students. The permissions allowed
>> students to delete files because Microsoft Office files need 'Delete'
>> permissions or they'll create the filename but the file will be empty.
>> The students have their own individual folder for saving files that
>> only they can access but most of the teachers had them using the
>> 'open' folder. I recovered everything from our backup, but we don't
>> want to let this slide.
>> Anyway, I know the username of the student that deleted the
>> files. But, I need to determine the computer they did it from. I
>> know it's one of two computers. I have the security logs from both
>> domain controllers, the file server the files were deleted from and
>> the computers she logged in on. I see clearly in the log from the
>> file server that she deleted the files. But, it doesn't tell me what
>> computer the delete command was executed from. I don't see anything
>> in ANY of the other security logs that tells me what computer the
>> delete command came from.
>> I see events 540 & 576 in the log of one of the domain
>> controllers involving this user, but the 'Workstation Name' field is
>> blank in the 540 events. Surely to God above there is some way to
>> find out what computer she actually used, but I don't see anything in
>> any of these logs that tells me.
>> I need to know what computer she deleted the files from. Also,
>> if someone can point me to a good book or online resource that tells
>> me how to make sense of the event logs I would REALLY appreciate it.
>> Any light you can shed on this would be GREATLY appreciated.
>
>Do you know when the files were deleted? If so you could run the
>eventcomb tool (free from somewhere on microsoft.com) to run over the
>event logs which should tell you which machine they were on.
>
>BTW, why do you need to know which workstation it was? If you got her
>bang to rights why do you need to know where it was done from.
Related resources
Anonymous
a b 8 Security
April 28, 2005 8:10:09 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Also, I know that I CAN get the computer name. The problem is
that I don't know what to look for. Should I look at the log on the
file server or the workstations? What event IDs am I looking for? I
have seen events that have a field that shows what computer the event
was generated from. But, those fields are blank. I obviously don't
know squat about this so I need some hand-holding. I know how to use
EventComb, but I don't know what I'm looking for. I know about
EventID.net, but that only shows me specific info about specific event
IDs. I would be very greatful if you could point me in the right
direction or even point me to a good tutorial about how to make sense
of the event logs. I've done a ton of research on the net, but I
haven't found a tutorial. Thank you in advance from an event-log
idiot.

On Thu, 28 Apr 2005 14:11:07 +0100, andy smart
<anonymus@discussions.microsoft.com> wrote:

>Nunya Beeswax wrote:
>> We've had a student in our school system delete a ton of files on
>> a server that were wide-open to students. The permissions allowed
>> students to delete files because Microsoft Office files need 'Delete'
>> permissions or they'll create the filename but the file will be empty.
>> The students have their own individual folder for saving files that
>> only they can access but most of the teachers had them using the
>> 'open' folder. I recovered everything from our backup, but we don't
>> want to let this slide.
>> Anyway, I know the username of the student that deleted the
>> files. But, I need to determine the computer they did it from. I
>> know it's one of two computers. I have the security logs from both
>> domain controllers, the file server the files were deleted from and
>> the computers she logged in on. I see clearly in the log from the
>> file server that she deleted the files. But, it doesn't tell me what
>> computer the delete command was executed from. I don't see anything
>> in ANY of the other security logs that tells me what computer the
>> delete command came from.
>> I see events 540 & 576 in the log of one of the domain
>> controllers involving this user, but the 'Workstation Name' field is
>> blank in the 540 events. Surely to God above there is some way to
>> find out what computer she actually used, but I don't see anything in
>> any of these logs that tells me.
>> I need to know what computer she deleted the files from. Also,
>> if someone can point me to a good book or online resource that tells
>> me how to make sense of the event logs I would REALLY appreciate it.
>> Any light you can shed on this would be GREATLY appreciated.
>
>Do you know when the files were deleted? If so you could run the
>eventcomb tool (free from somewhere on microsoft.com) to run over the
>event logs which should tell you which machine they were on.
>
>BTW, why do you need to know which workstation it was? If you got her
>bang to rights why do you need to know where it was done from.
Anonymous
a b 8 Security
April 28, 2005 8:51:14 PM

Archived from groups: microsoft.public.win2000.security (More info?)

They can "blame" whomever they want, but the responsible party is clear ...
If the students have been instructed not to share usernames and passwords,
and they do, then the person sharing the username and password is
responsible ... If her username and password were compromised by the other
person, then you might have an issue, but if she gave it out, she's the one
who is responsible for the deleted files, regardless ...

<Nunya Beeswax> wrote in message
news:o 2h271tuehmto2ajjj2fltkbhsdm1mpomc@4ax.com...
> I know that it was her username that deleted the files. But, she
> was logged onto two computers at the same time. She claims that a
> friend was using one of the computers logged in under her username
> (students have been told repeatedly not to do that) and that the
> friend was supposed to log her off. So, even though I know it was her
> username, I need to know the computer it was done on. There is a
> camera that shows these computers. So, if I know what computer she
> or her friend, was on, they can't deny it. Right now, they can blame
> it on each other.
Anonymous
a b 8 Security
April 28, 2005 9:14:53 PM

Archived from groups: microsoft.public.win2000.security (More info?)

The links below may help. There are often a sequence of numbers/letters in
the primary logon ID and such in object access events. I don't know if these
indicate the computer. Since you know the computers, you could try to
generate some object access events from each one to see if you can use the
information in the primary logon ID to determine which computer it was.

http://www.windowsitpro.com/Windows/Articles/ArticleID/...
http://www.microsoft.com/technet/security/prodtech/wind...

For the future, if you have a Windows 2003 domain controller or can install
one you can use the new limitlogon tool to enforce the numbers of computers
that a user is logged onto at the same time. You can also specify what
domain computers a user can logon to in their account properties in Active
Directory Users and Computers and configure the user rights for logon
locally and deny logon locally to manage what computers users/groups can
logon to. -- Steve

http://www.thincomputing.net/newsitem296.html

<Nunya Beeswax> wrote in message
news:u6k271pmk1chhr20f6prkneqm6jrfol2mu@4ax.com...
> Also, I know that I CAN get the computer name. The problem is
> that I don't know what to look for. Should I look at the log on the
> file server or the workstations? What event IDs am I looking for? I
> have seen events that have a field that shows what computer the event
> was generated from. But, those fields are blank. I obviously don't
> know squat about this so I need some hand-holding. I know how to use
> EventComb, but I don't know what I'm looking for. I know about
> EventID.net, but that only shows me specific info about specific event
> IDs. I would be very greatful if you could point me in the right
> direction or even point me to a good tutorial about how to make sense
> of the event logs. I've done a ton of research on the net, but I
> haven't found a tutorial. Thank you in advance from an event-log
> idiot.
>
> On Thu, 28 Apr 2005 14:11:07 +0100, andy smart
> <anonymus@discussions.microsoft.com> wrote:
>
>>Nunya Beeswax wrote:
>>> We've had a student in our school system delete a ton of files on
>>> a server that were wide-open to students. The permissions allowed
>>> students to delete files because Microsoft Office files need 'Delete'
>>> permissions or they'll create the filename but the file will be empty.
>>> The students have their own individual folder for saving files that
>>> only they can access but most of the teachers had them using the
>>> 'open' folder. I recovered everything from our backup, but we don't
>>> want to let this slide.
>>> Anyway, I know the username of the student that deleted the
>>> files. But, I need to determine the computer they did it from. I
>>> know it's one of two computers. I have the security logs from both
>>> domain controllers, the file server the files were deleted from and
>>> the computers she logged in on. I see clearly in the log from the
>>> file server that she deleted the files. But, it doesn't tell me what
>>> computer the delete command was executed from. I don't see anything
>>> in ANY of the other security logs that tells me what computer the
>>> delete command came from.
>>> I see events 540 & 576 in the log of one of the domain
>>> controllers involving this user, but the 'Workstation Name' field is
>>> blank in the 540 events. Surely to God above there is some way to
>>> find out what computer she actually used, but I don't see anything in
>>> any of these logs that tells me.
>>> I need to know what computer she deleted the files from. Also,
>>> if someone can point me to a good book or online resource that tells
>>> me how to make sense of the event logs I would REALLY appreciate it.
>>> Any light you can shed on this would be GREATLY appreciated.
>>
>>Do you know when the files were deleted? If so you could run the
>>eventcomb tool (free from somewhere on microsoft.com) to run over the
>>event logs which should tell you which machine they were on.
>>
>>BTW, why do you need to know which workstation it was? If you got her
>>bang to rights why do you need to know where it was done from.
>
!