Help with Security Audits

[Guest]

I have a win2k terminal server with citrix installed
I have auditing setup on this server for successful and unsuccessful logon
events
In my event viewer I have this

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 6/1/2005
Time: 6:36:40 AM
User: RMH\ecoombs
Computer: RMH-CITRIX-1
Description:
Successful Network Logon:
User Name: xxxxxxx
Domain: xxxxx
Logon ID: (0x0,0xE5CD350)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: xxxxxxxx
This user doesnt show a profile on the server so I am wondering how to track
down what type of activity it was
This user shouldnt be accessing this server
Thanks in advance

 

[barry]

I have a win2k terminal server with citrix installed
I have auditing setup on this server for successful and unsuccessful logon
events
In my event viewer I have this

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 6/1/2005
Time: 6:36:40 AM
User: RMH\ecoombs
Computer: RMH-CITRIX-1
Description:
Successful Network Logon:
User Name: xxxxxxx
Domain: xxxxx
Logon ID: (0x0,0xE5CD350)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: xxxxxxxx
This user doesnt show a profile on the server so I am wondering how to
track
down what type of activity it was
This user shouldnt be accessing this server
Thanks in advance

logon type 3 is network logon.

 

[Guest]

Thanks barry
however I did know that part
what I need to find out is what kind of connection
was it someone making a connection to a share?
I have no shares on this server
does anyone know how I can get more detail from this event

 

[Steven L Umbach]

Check to see if there is a local user account by that name on the server.
The command net users would be a quick way. For a domain computer, domain
accounts could also be used to attempt access. When you say profile I don't
know if you mean user account or user profile as the term seems to be
interchanged a lot. A profile will not be created until the user logs onto
the computer at the console or via TS. If that computer should not be
offering network shares then disable file and print sharing on it or modify
the user right for access this computer from the network to include only the
users/groups that should be accessing shares on the computer. It would also
be a good idea to have auditing of account management enabled to see if
unauthorized user accounts are being created/deleted. --- Steve

 

[Guest]

Check out the new System Controls MP from Manakoa. It provides auditing
guidance and base collection of key security events that might be useful for
future monitoring of your systems.

http://www.manakoa.com/products/scmp/