Re: Middle of night logins
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 9 Dec 2005 12:16:52 -0500
See if this helps: On the SBS, click Start -> Help and Support. Search
"audit logon events." Under the results in Help Topics, select the one
called "Audit logon events: Security Setting Descriptions." You should be
able to get some help in decoding the events you're seeing. I'm
particularly thinking of the "Logon type" info, which will tell you if the
logon was interactive (local), network, service, etc.
"David at Apex" <DavidatApex@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CD87AD98-7179-49D8-B510-02E203CA8D68@xxxxxxxxxxxxxxxx
>I have run the backup wizard, haven't configured it as robustly as would be
> preferable because of the tight start up budget of this company. I'd like
> to
> set up daily incrementals, weekly fulls, rotation and offsite storage, but
> with tight budget and limited technical knowledge on staff, it gets pushed
> to
> the back burner. I'm working on that.
>
> What other process could be causing these logins as they don't appear to
> me
> to be intrusion? ISA 04 was configured before this box went into
> production
> which I hope is doing its job. Any other ideas where these logins are
> coming
> from?
>
> Thanks for your help.
>
> "Dave Nickason [SBS MVP]" wrote:
>
>> Two things: if you're not running 3rd party backup software, it's not
>> backup that's causing the logins.
>>
>> More importantly, have you run the SBS backup wizard? If not, you really
>> need to do that. Exchange may very well not be backing up properly
>> otherwise. Configuring Exchange backup is one of the things done by that
>> wizard, so if you have not run it, I'd recommend doing so.
>>
>>
>> "David at Apex" <DavidatApex@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:FC2EE2BB-83FC-490B-AEAC-FAE5B608F30D@xxxxxxxxxxxxxxxx
>> > My backup is scheduled for weekend. I haven't configured any Exchange
>> > backup
>> > explicitly, does a backup run by default for Exchange out of the box?
>> > If
>> > so,
>> > that is probably what it is. I'll check out that angle further.
>> >
>> > Thanks for the reply.
>> >
>> > "Dave Nickason [SBS MVP]" wrote:
>> >
>> >> What's running on the server at that time of night? Backup? I use
>> >> Arcserve
>> >> for brick level backup and I know that logs into the mailbox, but with
>> >> the
>> >> Administrator account rather than a user account.
>> >>
>> >> I'd just look for anything that could be updating itself, any
>> >> scheduled
>> >> task
>> >> that runs in a user context, or anything else along those lines you
>> >> can
>> >> think of.
>> >>
>> >> "David at Apex" <DavidatApex@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> message
>> >> news:892F5DC3-272E-481E-927D-962AF5443942@xxxxxxxxxxxxxxxx
>> >> > Hello,
>> >> >
>> >> > I am running SBS 03 SP1 with ISA 04 and have been seeing
>> >> > logon/logoff
>> >> > events
>> >> > in the wee hours of the night. There are only 3 users on this
>> >> > system
>> >> > and
>> >> > I
>> >> > know for sure that they are not logging on at 3am. I have enabled
>> >> > auditing
>> >> > on critical data and haven't seen anything strange. ISA is not
>> >> > throwing
>> >> > up
>> >> > any alerts. I have enforced strong passwords and recently forced
>> >> > users
>> >> > to
>> >> > change them after seeing these events. The logon and logoffs occurr
>> >> > within
>> >> > about a minute of each other and all 3 users logon/logoff.
>> >> >
>> >> > Is this normal behavior as I am not seeing anything that indicates
>> >> > hacking?
>> >> > If not, any advice as to how figure out where these are coming from?
>> >> >
>> >> > Thanks.
>> >>
>> >>
>> >>
>>
>>
>>
.
- References:
- Re: Middle of night logins
- From: Dave Nickason [SBS MVP]
- Re: Middle of night logins
- From: Dave Nickason [SBS MVP]
- Re: Middle of night logins
- From: David at Apex
- Re: Middle of night logins
- Prev by Date: email loop pop3 connector
- Next by Date: RE: Backup Strategy
- Previous by thread: Re: Middle of night logins
- Next by thread: Re: Router question
- Index(es):
Relevant Pages
|
