Security Logs / Event Viewer 1

[1DMF]

I've had a few failed attempts to logon to our server from an unauthorised IP address.

Howver trying to work out if they were successfull in logging on is a nightmare, as the event viewer doesn't show much and only the failed logons seem to show source IP but none of the Successful audit entries.

Is there any software I can get that gives better info on the security logs / event viewer to make it easier to monitor and investigate potential hacking and other even viewer entries?

Thanks,

1DMF.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.

 

[Stevehewitt]

Think GFI do a application that gives a lot more power to the Event Log's - and not that it helps now but Server Longhorn has some superb changes that helps dramatically.

Depends on the logging you have turned on. (Auditing). Look at what account is being used. Is the username valid? Check AD to see when the account was last logged in. Is it an external IP or one on the LAN?

Cheers,




Steve.

"They have the internet on computers now!" - Homer Simpson

 

[1DMF]

It was an external IP trying to log on as Administrator.

I have 4 failed attempt logs, within g 5 minutes of each other @ 1:24am

There are lots of events @ the same time for sucessfull logins and logoffs but have no account details or source ip addresses.

are these therfore internal logons for system resources?



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.

 

[djtech2k]

I would first crank up auditing. If you are auditing everything you can and still cannot find the info, then I would look for external software.

As for software that can help with event, if you are using a domain, I would suggest Microsoft MOM or products from NetPro. The NetPro products have specific tools for certain things. They are very good.

 

[1DMF]

we use a domain in as much as an internal domain on an SBS2003 server, single box setup.

Where do I set the auditing? or check what is already set.

Thanks

1DMF



"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.

 

[djtech2k]

You can look at the group policies. It will be under :

Computer > Windows Settings > Security Settings > Local Policies > Audit Policy



I would first run a "rsop.msc" from the DC. This will tell you what the current policy is and which policy applies this policy. If it is not what you want, then you can find that policy and edit it, or create a new policy to override those settings of the other policy, which is likely to be the "Default Domain Policy".

 

[1DMF]

Thanks for the info, I have checked them out and this is what it says in the rsop.msc

Audit account logon events Success Default Domain Controllers Policy
Audit account management Success Default Domain Controllers Policy
Audit directory service access No auditing Small Business Server Auditing Policy
Audit logon events Success, Failure Small Business Server Auditing Policy
Audit object access No auditing Default Domain Controllers Policy
Audit policy change Success Default Domain Controllers Policy
Audit privilege use No auditing Default Domain Controllers Policy
Audit process tracking No auditing Default Domain Controllers Policy
Audit system events Success Default Domain Controllers Policy

is there anything i need to change?

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.

 

[djtech2k]

If you are trying to investigate logons, I would definitely turn on all auditing for account logon, dir svc access. If interested, you could put on other auditing for events, privileges, etc. Just remember that your event logs could get big with a lot of auditing on a busy network. Just keep an eye on it. You should get a bunch of data.

 

[1DMF]

Thanks I've switch a whole load on and i'll see what I get.

"In complete darkness we are all the same, only our knowledge and wisdom separates us, don't let your eyes deceive you.