RE: Security Logs

One thing about security auditing is that it does not lie. If it says a set
of credentials was used at a specific time, it was.

So, if the user isn't doing it, they must have their password stored
somewhere.
Check for their password to be stored in: Services, Persistent Mapped
Network Drives, Credential Manager (control keymgr.dll) and 3rd party
applications on the source workstation

As for the user who does not work there anymore. Why is his account still
enabled? Disable it. That might also shed some light on what is causing
those audits, (ie saved credentials). One of your users may be unknowingly
using those credentials to access a resource because they are saved somewhere
on the system.
--
Brian Delaney, MCSE


"one3cap" wrote:

Couple of questions:

i keep getting the same entry for one of my users in the security log:

Source: Security
Category: Account Logon
Event ID: 680
Type Success A
Computer: THE DC
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: Michael.Jordan
Source Workstation: HDQORGL001
Error Code: 0x0
Just about every minute this event occurs.

2. (this is at 5am the user was not here and not logging on)
First event ID is the 576 @5:00am the event ID 540 same time and these 2
ID's repeat themselves 4 times ( so total of 8 events) then the last 2
events are the ID 538 i just dont know what these are i did some searches
couldnt really find anything........... i have seen these same exact
sequence of events through out the day even when the user is using the
computer and not logging off or anything any suggestions? maybe a good site
dealing with security logs. i have even seen these same events for a user
that is no longer with the company.

-event id 576
Special privileges assigned to new logon:
User Name: Bill.Gates
Domain: EBC
Logon ID: (0x0,0x277FBFAF)
Privileges: SeChangeNotifyPrivilege

-event id 540
Successful Network Logon:
User Name: x.x
Domain: EBC
Logon ID: (0x0,0x277FBF9E)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {57d3e28b-fe63-ecaa-4cfe-fa7f1f512a9e}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.0.98
Source Port: 2749

-event id 538
User Logoff:
User Name: Bill.Gates
Domain: EBC
Logon ID: (0x0,0x277FBF9E)
Logon Type: 3





.

Relevant Pages

  • [NT] Citrix MetaFrame Password Manager Credentials Not Encrypted Under Certain Configurations
    ... Get your security news from a reliable source. ... encrypted database and automatically providing credentials to applications ... administrator inadvertently fails to configure the Citrix MetaFrame ... The local credential store is protected by Windows File Access Control ...
    (Securiteam)
  • RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
    ... requirement of 6 years of security work prior to being eligible for the ... Most of which are new requirements instituted a few years ago when a very young Indian gentleman passed the CISSP exam earning the right and fame to claim as the o7ungest certified CISSP in existance. ... And I do know certified fewls that have not a single skill in security bascis nor a clue as to any concepts of networking. ... I'm sorry you fgeel so threatened cause your cert has such little real merit except to a HR rep or a clueless manager on the prowl for a cheap hire and a cya glance over of the credentials offered by a potential candidate for a position, ...
    (Pen-Test)
  • RE: Hacker Stories, Certs, vs Projects - Was Re: Technitium MAC Address Changer v3.1 (FREEWARE)
    ... general security credential. ... I understand that a CISSP can tell me that ... Credentials can only be looked at to strengthen the credibility of a ... Download FREE whitepaper on how a managed service ...
    (Pen-Test)
  • Re: When a service really starts
    ... Does this mean if I put the code in the constructor to change the logon ... this is not a security hole. ... credentials does not match the one the network administrator provides in the ...
    (microsoft.public.dotnet.framework)
  • Re: Windows Authentication "ausloggen"
    ... dem Webserver die Integrated Security aktiviert ist. ... Damit werden bei einem Zugriff auf die Site die Credentials abgefragt. ... Die Inhalte der in dieser Newsgroup eingestellten Inhalte stammen von ... > Dazu soll sich der eigentliche PC Besitzer ausloggen und der Mitarbeiter, ...
    (microsoft.public.de.german.entwickler.dotnet.asp)