Re: Watching event logs for workstation/user logons

From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 23 May 2006 16:47:17 -0400

In news:23028425-1F25-4806-A0F0-49D74E8D2C88@xxxxxxxxxxxxx,
Mark <fastzrex@xxxxxxxxxxxxxxxx> typed:

Hello! Not being an event log expert, I need some adice on what to be
concerned about regarding workstation/user account logon and
logon/logoff in the Security logs.

I suspect, after reviewing my Security Logs on my SBS2003 server,
that there is a compromised user account.

What makes you think so? Is there anything funky going on on your
server/network?

I see what I would call
suspicious activity between midnight and 6 AM, with user
logons/logoffs, etc.

What accounts? Those of your actual users? Might they be using RWW at the
time?

I have several users who leave their
workstations on all night,

....but logged out, right?

while they are not in the facility, but
may access via RWW.

Are there whitepapers which help a novice make sense of what is
'normal' and 'abnormal' activity in the security logs concerning
'Account Logon' and 'Logon/Logoff'?

Do you see any failures, or only successes?

I am also seeing some
Login/Logoff for the user IUSR_ServerName in the early hours, and not
sure if this is to be expected and normal. Any suggestions from
personal experience?

That's used for IIS - so this could be OWA, could be RWW, whatnot. Probably
also for internal purposes.

I understand how to use the filter capabilities of the Event Logs to
home in specific events, but I need to know what to expect to find.

Thanks for the help!

I guess I'd have to ask first what you're suspicious *of*.... you can crank
up auditing on all sorts of things if you want to pore through the logs, but
it helps if you know what you're looking for (privilege escalation, etc).
Otherwise you will be facing a huge task of reviewing i& filtering it all.

Important questions might include:
Are all your servers/clients fully patched? Do you have a good complex
password policy in place (8-char minimum)? Force regular changes? A good
firewall apliance and/or ISA? What's open inbound from the Internet? What
antivirus software are you running? (And so on and so forth.)

.

Follow-Ups:
- Re: Watching event logs for workstation/user logons
  - From: Mark

Prev by Date: AntiVirus needed on SBS?
Next by Date: Re: AntiVirus needed on SBS?
Previous by thread: AntiVirus needed on SBS?
Next by thread: Re: Watching event logs for workstation/user logons
Index(es):
- Date
- Thread