Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Track IP addresses
- Thread starter rrsub
- Start date
"users trying to login" are they using domain accounts?
Anyway, such issue should be tracked via Audit policies. Set the audit for accounts, and for successfully logon, and whatever condition you want, and then, check the event viewer/security. Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, MCSE Win2K
Anyway, such issue should be tracked via Audit policies. Set the audit for accounts, and for successfully logon, and whatever condition you want, and then, check the event viewer/security. Gia Betiu
giabetiu@chello.nl
Computer Eng. CNE 4, CNE 5, MCSE Win2K
GiaBetiu - please correct me if I am wrong, but I think that the audit log will display the machine name of the pc attempting to login - if this machine is from outside then you will not know the IP.
I have been having "attempts" from time to time and now use a method to capture packets to determine IP.
rrsub - In doing some testing on our system, I noted that if a person is logged into their own system as administrator and they do something that may or may not be malicious but causes a log entry on your system - it will show in your log as account administrator with their workstation name.
so in my case, I check my log and worry less about single - isolated entries, than I do other more obvious attempts.
I have been having "attempts" from time to time and now use a method to capture packets to determine IP.
rrsub - In doing some testing on our system, I noted that if a person is logged into their own system as administrator and they do something that may or may not be malicious but causes a log entry on your system - it will show in your log as account administrator with their workstation name.
so in my case, I check my log and worry less about single - isolated entries, than I do other more obvious attempts.
- Thread starter
- #5
I have used a packet analyzer to capture all packets going to a specific server, then determined the IP adderss involved. If you do have a firewall to tell you this then you may try the packet method.
I use lanwatch32 - but there may be a free program out there.
I use lanwatch32 - but there may be a free program out there.
If you are running rouitng and ras services on that box and it is buy chance a server you could go to start > programs > administrative tools > routing and remote access then go to your general tab and then right click on the connection you want to see what ips are comming in on what ports buy right clicking on the connection and go to show TCP connections , if you see something you do not like and you know its nothing like from msn. or aol. or any open ip addresses you would use for e-mail or ftp services ping the address or trace the route and if you think its something of a hack or something you just dont like then go to the Proporties of that connection underneath show tcp connections and go to input filters and block that ipaddress........... takes about 5 minutes to do and if you do have a firewall program and you are still using routing/ ras you could still do the same as a secondary block to that ip adress....... besides the block from your firewall program have fun a little much to read but its worth it .............. Anthony Cabanas
Long Island Networking Technologies Inc acabanas@linettech.com
Long Island Networking Technologies Inc acabanas@linettech.com
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question