Re: Security audit file shows users continually loggin on and off
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Sat, 23 Jun 2007 17:03:46 -0500
"EllEff" <EllEff@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B83152B7-0F56-4887-AFB2-86C8444BAEC7@xxxxxxxxxxxxxxxx
Herb,
Thanks for the quick reply.
What wories me is that at all hours I am seeing users (at least their
machines) logging in and out of the server. This is not IUSR_machinename
for
IIS, but just the standard everyday user.
Reading between the lines, it seems like this may not be a big deal? Over
the course of a month I'll see 20K entries in the audit file, and this is
for
a small office of maybe 10 users.
2000 per user per month? Maybe 70 per day per user.
Doesn't sound terrible but it doesn't sound trivial either.
If users say logged on forever, would the workstations "check in" with the
server periodically, or once they are authenticated and that's it and no
more
checking in with the mother ship?
Usually -- they would get credentials and only renew them every 12 (or so)
hours.
Depends on how it is happening or what is causing it.
Would running Spybot Search & Destroy (or something else) on the server
help
see if there is some internal attack happening?
I would run it -- I do -- but it would never have occurred to me to suggest
it for
this specific problem.
I would be more interested in what was going on when these events were
recorded.
Sorry if I'm asking so many questions, just trying to learn.
No, and I may not be able to give you a definitive answer on somethign like
this
either -- so we are just thinking "out loud" (or rather through news.)
Thanks for your help!
Lee
"Herb Martin" wrote:
"EllEff" <EllEff@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AAA5B9CA-0F2C-425A-84B3-506FE428F351@xxxxxxxxxxxxxxxx
Hi,
I'm new at this AD stuff so bear with me.
I noticed in the security log file that I have entries of users loggin
on
and off at all hours of the day and night. My security log file now
has
over
20,000 entries. This does not seem correct to me. Or am I wrong? I am
now
seeing the Administrator logging on and off as well and this troubles
me.
When the users go home at night they leave their workstations (XP Pro)
running and they don't log out. Is this some of the problem or is it
bigger
than just this.
Might be a batch or TS automatic reconnection.
Might be as simple as a network problem causing them to re-authenticated
when they have trouble reconnecting automatically to some share or
something.
Is this a "regular user" or something like IUSR_machinenam for IIS?
You say 20K entries -- over what period of time? If this is weeks worth
then
just clear (maybe archive first) the logs but if this is DAILY you can't
see
the
forest for the trees (true attacks on your network) so you have to
resolve
it.
I consider it perfectly normal for users to stay logged on, forever.
--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)
.
- References:
- Prev by Date: RE: I can't start new master DC, help
- Next by Date: Re: Help with Security Filtering
- Previous by thread: Re: Security audit file shows users continually loggin on and off
- Next by thread: Re: Help with Security Filtering
- Index(es):
Relevant Pages
|
