|
Posted by Roger Abell [MVP] on December 30, 2006, 2:46 am
Please log in for more thread options Thanks for the clarity.
I was assuming you were picking up on some small semantic
distinction based on how the event fields were instanced.
Roger
> Inadvertently. :-)
>
> Good catch Roger. I should have said Win2K or higher. My mistake. I was
> going on the fact that it used Kerb. I think I was thinking "current OS
> minus
> one", as I have for five years, but this time I arrived at XP. Obviously a
> Win2K client could cause the same error to be generated. Even a Unix
> client
> could, technically speaking.
>
> "Roger Abell [MVP]" wrote:
>
>> Hi Jesper,
>>
>> I am curious
>> <quote>
>> The logon must be coming from a Windows XP machine or higher
>> </quote>
>> Why was W2k ruled out?
>>
>> Roger
>>
>> > There is no way to tell for sure unless you audit all the resources.
>> > Logon
>> > type 3 is a network logon, in other words, the user is accessing a
>> > shared
>> > network resource. The logon must be coming from a Windows XP machine or
>> > higher, that is a member of the domain, because it uses Kerberos. Was
>> > the
>> > workstation name blank in the original log entry?
>> >
>> > This could be as simple as a user that is trying to find out what
>> > shares
>> > are
>> > on the server. Without knowing more about what was in the event and
>> > what
>> > resources are shared on that server we can't tell for sure.
>> >
>> > The connection between this event and the shutdown event was unclear.
>> > Are
>> > you implying that this user caused the shutdown? There should be a log
>> > entry
>> > for the shutdown event itself. It would be a 1074 event, and should
>> > include
>> > the name of the user that initiated it.
>> >
>> > "Yogesh S" wrote:
>> >
>> >> We are struggling to figure out what is going wrong with our Win 2003
>> >> Server
>> >> machine. This machine was given a remote shutdown instruction and we
>> >> are
>> >> investigating the security log. But upon investigation we saw several
>> >> of
>> >> this
>> >> log logon-logoff entries. I have removed the actual user and domain
>> >> name
>> >> for
>> >> security purpose.
>> >>
>> >> Successful Network Logon:
>> >> User Name: xyzuser
>> >> Domain: DOMAIN1
>> >> Logon Type: 3
>> >> Logon Process: Kerberos
>> >> Authentication Package: Kerberos
>> >> Workstation Name:
>> >>
>> >> User Logoff:
>> >> User Name: xyzuser
>> >> Domain: DOMAIN1
>> >> Logon Type: 3
>> >>
>> >> We clearly see that this user doesn't have any kind of shared network
>> >> connection to this win2003 machine and still we see this entry in our
>> >> log.
>> >> Any idea what is happening. Are there any tool which can precisely
>> >> give
>> >> us
>> >> the info as to which user is tryinbg to login and what resource he is
>> >> trying
>> >> to access.
>> >>
>> >> Regards
>> >> Yogesh S
>>
>>
>>
| 
XML Sitemap