Help with Security Audits

[WP]

Archived from groups: microsoft.public.win2000.security (More info?)

I have a win2k terminal server with citrix installed
I have auditing setup on this server for successful and unsuccessful logon
events
In my event viewer I have this

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 6/1/2005
Time: 6:36:40 AM
User: RMH\ecoombs
Computer: RMH-CITRIX-1
Description:
Successful Network Logon:
User Name: xxxxxxx
Domain: xxxxx
Logon ID: (0x0,0xE5CD350)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: xxxxxxxx
This user doesnt show a profile on the server so I am wondering how to track
down what type of activity it was
This user shouldnt be accessing this server
Thanks in advance

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Check to see if there is a local user account by that name on the server.
The command net users would be a quick way. For a domain computer, domain
accounts could also be used to attempt access. When you say profile I don't
know if you mean user account or user profile as the term seems to be
interchanged a lot. A profile will not be created until the user logs onto
the computer at the console or via TS. If that computer should not be
offering network shares then disable file and print sharing on it or modify
the user right for access this computer from the network to include only the
users/groups that should be accessing shares on the computer. It would also
be a good idea to have auditing of account management enabled to see if
unauthorized user accounts are being created/deleted. --- Steve


"WP" <WP@discussions.microsoft.com> wrote in message
news:7921EF0D-005C-4A69-B3EF-54DAE1B11FE0@microsoft.com...
>I have a win2k terminal server with citrix installed
> I have auditing setup on this server for successful and unsuccessful logon
> events
> In my event viewer I have this
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 6/1/2005
> Time: 6:36:40 AM
> User: RMH\ecoombs
> Computer: RMH-CITRIX-1
> Description:
> Successful Network Logon:
> User Name: xxxxxxx
> Domain: xxxxx
> Logon ID: (0x0,0xE5CD350)
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: xxxxxxxx
> This user doesnt show a profile on the server so I am wondering how to
> track
> down what type of activity it was
> This user shouldnt be accessing this server
> Thanks in advance
>

 

[Barry]

Archived from groups: microsoft.public.win2000.security (More info?)

"WP" <WP@discussions.microsoft.com> wrote in message
news:7921EF0D-005C-4A69-B3EF-54DAE1B11FE0@microsoft.com...
>I have a win2k terminal server with citrix installed
> I have auditing setup on this server for successful and unsuccessful logon
> events
> In my event viewer I have this
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 540
> Date: 6/1/2005
> Time: 6:36:40 AM
> User: RMH\ecoombs
> Computer: RMH-CITRIX-1
> Description:
> Successful Network Logon:
> User Name: xxxxxxx
> Domain: xxxxx
> Logon ID: (0x0,0xE5CD350)
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: xxxxxxxx
> This user doesnt show a profile on the server so I am wondering how to
> track
> down what type of activity it was
> This user shouldnt be accessing this server
> Thanks in advance
>

logon type 3 is network logon.

 

[WP]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks barry
however I did know that part
what I need to find out is what kind of connection
was it someone making a connection to a share?
I have no shares on this server
does anyone know how I can get more detail from this event


"barry" wrote:

>
> "WP" <WP@discussions.microsoft.com> wrote in message
> news:7921EF0D-005C-4A69-B3EF-54DAE1B11FE0@microsoft.com...
> >I have a win2k terminal server with citrix installed
> > I have auditing setup on this server for successful and unsuccessful logon
> > events
> > In my event viewer I have this
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 540
> > Date: 6/1/2005
> > Time: 6:36:40 AM
> > User: RMH\ecoombs
> > Computer: RMH-CITRIX-1
> > Description:
> > Successful Network Logon:
> > User Name: xxxxxxx
> > Domain: xxxxx
> > Logon ID: (0x0,0xE5CD350)
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: xxxxxxxx
> > This user doesnt show a profile on the server so I am wondering how to
> > track
> > down what type of activity it was
> > This user shouldnt be accessing this server
> > Thanks in advance
> >
>
> logon type 3 is network logon.
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Check out the new System Controls MP from Manakoa. It provides auditing
guidance and base collection of key security events that might be useful for
future monitoring of your systems.

http://www.manakoa.com/products/scmp/

"Steven L Umbach" wrote:

> Check to see if there is a local user account by that name on the server.
> The command net users would be a quick way. For a domain computer, domain
> accounts could also be used to attempt access. When you say profile I don't
> know if you mean user account or user profile as the term seems to be
> interchanged a lot. A profile will not be created until the user logs onto
> the computer at the console or via TS. If that computer should not be
> offering network shares then disable file and print sharing on it or modify
> the user right for access this computer from the network to include only the
> users/groups that should be accessing shares on the computer. It would also
> be a good idea to have auditing of account management enabled to see if
> unauthorized user accounts are being created/deleted. --- Steve
>
>
> "WP" <WP@discussions.microsoft.com> wrote in message
> news:7921EF0D-005C-4A69-B3EF-54DAE1B11FE0@microsoft.com...
> >I have a win2k terminal server with citrix installed
> > I have auditing setup on this server for successful and unsuccessful logon
> > events
> > In my event viewer I have this
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 540
> > Date: 6/1/2005
> > Time: 6:36:40 AM
> > User: RMH\ecoombs
> > Computer: RMH-CITRIX-1
> > Description:
> > Successful Network Logon:
> > User Name: xxxxxxx
> > Domain: xxxxx
> > Logon ID: (0x0,0xE5CD350)
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: xxxxxxxx
> > This user doesnt show a profile on the server so I am wondering how to
> > track
> > down what type of activity it was
> > This user shouldnt be accessing this server
> > Thanks in advance
> >
>
>
>