Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Logon Detection or tracking
- Thread starter Count430
- Start date
Step on: Change the Admin account password, and DO NOT GIVE IT OUT TO any USERS! NO one should share user accounts, and tracking logging does you no good if they do this. If someone needs admin access, make them a member of the admin group, don't give them the admin account! You can further limit which admin functions they are allowed to do (in WIN2000 and beyond).
Step two: turn auditing on in all the systems. How to do that depends on the type of system (NT, WIn 2000, etc.) you are using. With auditing enabled, you can determine which user did the activity (SEE STEP ONE ABOVE!),and know who to go after when the system gest messed up.
HTH
David
Step two: turn auditing on in all the systems. How to do that depends on the type of system (NT, WIn 2000, etc.) you are using. With auditing enabled, you can determine which user did the activity (SEE STEP ONE ABOVE!),and know who to go after when the system gest messed up.
HTH
David
- Thread starter
- #4
Thanks! that sounds good, the problem is these folks are
logging on in different locations and we're trying to
pinpoint somhow each time the account is used.
Or if we could run some type of agent which will scan the
network and inform us when the account is active.
If SMS were loaded I could simply build collections and
set the criteria, but this is a post SMS problem.
Not a real problem, and it can be done remotely from a central system (can be a desktop), provided you force the users to use their own account.
The log on the DC will tell you when they log on/off the domain. You need to turn on logging on each server, which will tell you the time they logged onto that server, what files they access successfully or not, etc.
You can read these log files from a central location (a server or desktop WinNT4.0 or better system) from each machine in the domain, and can apply filters to find, for example a single user account. There is no practical way to have a central system record all the log ons and accesses to all the systems in the network, the system would totally bog down and would be useless for anything else. Besides, you would not want to do that anyway, it would be too difficult to determne which system it is happening on because of the huge volume of events.
Remember that all logging/auditing consumes system resources, so only do what you really need (for example, if you only care about who accesses a file, only record the successes, not failures, etc.).
The log on the DC will tell you when they log on/off the domain. You need to turn on logging on each server, which will tell you the time they logged onto that server, what files they access successfully or not, etc.
You can read these log files from a central location (a server or desktop WinNT4.0 or better system) from each machine in the domain, and can apply filters to find, for example a single user account. There is no practical way to have a central system record all the log ons and accesses to all the systems in the network, the system would totally bog down and would be useless for anything else. Besides, you would not want to do that anyway, it would be too difficult to determne which system it is happening on because of the huge volume of events.
Remember that all logging/auditing consumes system resources, so only do what you really need (for example, if you only care about who accesses a file, only record the successes, not failures, etc.).
You could always run some sort of system security monitoring software (i.e. change detection that would include user login information, etc). INTACT (Pedestal Soft) is a real-time product that is reasonably price and would solve your problem.
Food for thought...
Food for thought...
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
