RE: TR : event viewer log How to get more information

["Maksoudian, Gary" <gary.maksoudian () thermo com>]

Can't you just disable this ffournXXX account, or change the password?

Gary Maksoudian
Thermo Electron Corporation
905.332.2000 ext. 238
 

-----Original Message-----
From: "Héroux, Christian" [mailto:Christian.Heroux () etsmtl ca] 
Sent: April 4, 2003 12:15 PM
To: security-basics () securityfocus com
Subject: TR : event viewer log How to get more information

Hello all !
        I hope you can help me ! There are many event log like these one on
a user workstation windows XP. Someone logged into his station? Right? How
can I get more info to troubleshoot? Nobody is allowed in this user station.
We don`t have much info to find out what wrong. Is it a process, which
PC...Do you have any tool that could log  more detail.

Christian H.


Event Type:       Success Audit
Event Source:    Security
Event Category: Logon/Logoff 
Event ID:           540
Date:                2003-04-02
Time:                10:19:02
User:                XXX\ffournXXX
Computer:         BISMARCK
Description:
Successful Network Logon:
            User Name:       ffournXXX
            Domain:                        XXX
            Logon ID:                      (0x0,0x1BA8FD3)
            Logon Type:      3
            Logon Process: NtLmSsp 
            Authentication Package: NTLM
            Workstation Name:        GPA_024824
            Logon GUID:      {00000000-0000-0000-0000-000000000000}
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
 
 
 
Event Type:       Success Audit
Event Source:    Security
Event Category: Logon/Logoff 
Event ID:           540
Date:                2003-04-03
Time:                09:40:15
User:                XXX\rmaraXXXX
Computer:         BISMARCK
Description:
Successful Network Logon:
            User Name:       rmaranXXX
            Domain:                        XXX
            Logon ID:                      (0x0,0x586DD0)
            Logon Type:      3
            Logon Process: NtLmSsp 
            Authentication Package: NTLM
            Workstation Name:        GPA_026195
            Logon GUID:      {00000000-0000-0000-0000-000000000000}
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
 
 
Event Type:       Failure Audit
Event Source:    Security
Event Category: Logon/Logoff 
Event ID:           529
Date:                2003-04-04
Time:                02:33:06
User:                NT AUTHORITY\SYSTEM
Computer:         BISMARCK
Description:
Logon Failure:
            Reason:                        Unknown user name or bad password
            User Name:       Administrator
            Domain:                        PERF-1
            Logon Type:      3
            Logon Process: NtLmSsp 
            Authentication Package: NWV1_0
            Workstation Name:        PERF-1
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics

<b>
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------
</b>