RE: TR : event viewer log How to get more information

["John Warnas/HintTech B.V." <john.warnas () hinttech com>]

Well all I can see in the last event that somebody tried to log in on this
station. Have you checked the user rights on this station? Are there any
guest accounts?

Regards

John Warnas

---
HintTech B.V.; Kluyverweg 2a
2629 HT Delft; T +31(0)15-268 25 73
F +31(0)15-268 25 67; GSM +31(0)6-21 8584 34
---


-----Oorspronkelijk bericht-----
Van: Héroux, Christian [mailto:Christian.Heroux () etsmtl ca]
Verzonden: vrijdag 4 april 2003 19:15
Aan: security-basics () securityfocus com
Onderwerp: TR : event viewer log How to get more information


Hello all !
        I hope you can help me ! There are many event log like these one on a user
workstation windows XP. Someone logged into his station? Right? How can I
get more info to troubleshoot? Nobody is allowed in this user station. We
don`t have much info to find out what wrong. Is it a process, which PC...Do
you have any tool that could log  more detail.

Christian H.


Event Type:       Success Audit
Event Source:    Security
Event Category: Logon/Logoff
Event ID:           540
Date:                2003-04-02
Time:                10:19:02
User:                XXX\ffournXXX
Computer:         BISMARCK
Description:
Successful Network Logon:
            User Name:       ffournXXX
            Domain:                        XXX
            Logon ID:                      (0x0,0x1BA8FD3)
            Logon Type:      3
            Logon Process: NtLmSsp
            Authentication Package: NTLM
            Workstation Name:        GPA_024824
            Logon GUID:      {00000000-0000-0000-0000-000000000000}
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
 
 
 
Event Type:       Success Audit
Event Source:    Security
Event Category: Logon/Logoff
Event ID:           540
Date:                2003-04-03
Time:                09:40:15
User:                XXX\rmaraXXXX
Computer:         BISMARCK
Description:
Successful Network Logon:
            User Name:       rmaranXXX
            Domain:                        XXX
            Logon ID:                      (0x0,0x586DD0)
            Logon Type:      3
            Logon Process: NtLmSsp
            Authentication Package: NTLM
            Workstation Name:        GPA_026195
            Logon GUID:      {00000000-0000-0000-0000-000000000000}
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
 
 
 
Event Type:       Failure Audit
Event Source:    Security
Event Category: Logon/Logoff
Event ID:           529
Date:                2003-04-04
Time:                02:33:06
User:                NT AUTHORITY\SYSTEM
Computer:         BISMARCK
Description:
Logon Failure:
            Reason:                        Unknown user name or bad password
            User Name:       Administrator
            Domain:                        PERF-1
            Logon Type:      3
            Logon Process: NtLmSsp
            Authentication Package: NWV1_0
            Workstation Name:        PERF-1
 
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

 

-------------------------------------------------------------------
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-security-basics



<b>
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection.
http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free technical support.
Stop SPAM before it stops you.
-------------------------------------------------------------------
</b>