Alonso said:
How to detect if computer has been turned on during weekend days and
accessed(unauthorized), when it should not be turned on?
The admin account is password protected, however it possible hack this via
booting Linux. Where to check Windows XP log files? Is it Event Viewer logs,
to run eventwvr?
Enable auditing on logon events.
You never mentioned WHICH edition of Windows XP that you have. Home
editions don't include the group policy editor (gpedit.msc). If you
have an edition OTHER than a Home edition then use gpedit to configure
the auditing policies.
- Load gpedit.msc.
- Go to the following tree node:
Computer Configuration
\__ Windows Settings
\__ Security Settings
\__ Local Policies
\__ Audit Policy
That only tells you when there was a logon (or other auditable event).
That doesn't tell you WHO logged in (unless you establish SEPARATE
accounts for each user and you're sure they don't share logins). You
look in the Event Viewer to see the audit events.
While you're there in gpedit, you could go under the Security Options
tree node under the Interactive Logon settings to configure the login
message and logon title to warn users that their logons are being
recorded and will be reviewed. That might deter someone from an
unauthorized logon. Sneaks like to work in the dark and scurry away in
the light.
If this within a domain, you can push logon/logoff scripts onto the
Windows accounts. These can run programs to record or take whatever
action you want. If not in a domain, you will have to manually assign
the batch file or program executable to the logon/logoff scripts for
each Windows account.
If running in a domain, you can push policies that restrict the logon
hours. See the following articles on managing logon restrictions:
http://support.microsoft.com/kb/816666
http://technet.microsoft.com/en-us/library/bb726988.aspx
http://technet.microsoft.com/en-us/library/cc766208(WS.10).aspx
http://www.ehow.com/how_8467159_set-restriction-hours-group-policy.html
If not in a domain but instead using workgroups, you have to use the
"net user" command. You runt he command to put limits on accounts. See
http://www.techrepublic.com/blog/security/restrict-logon-access-with-this-command/281.
Of course, you could put the command in the logon/logoff scripts for
each Windows account to ensure they get run before and after any 'net'
commands that the user might run during their Windows session if, say,
they happen to be logging under an admin-level account (but then they
can modify account setup just like you).
You could put a web camera attached to the computer that sends its
images to another computer (so the perp can't erase on that host what's
already been sent to a different host). Obviously the software running
the snapshots or streamed video taken by the webcam has to load as a
service so it is running without requiring a login.
If you're real intent is to restrict when users can access the Internet
(for all hosts under a router) then get a router that lets you define
usable hours.
If you leave the BIOS configured to allow other bootable devices to be
used to load an OS than that was your choice. If you only want the OS
loaded that's on a hard disk then stop allowing other boot devices to
load a different OS. Configure the BIOS to only allow booting from the
hard disk. If you allow booting another OS using other devices then
obviously Windows XP isn't booting and cannot record anything, could it?