Need to determine the computer a user account is coming from

Viewing 18 reply threads
  • Author
    Posts
    • #4741
      JerichoJones
      Participant

      We use some shared accounts (Yes I know it’s bad, I am not allowed to change it.) Someone using the shared account is deleting data on a remote server so I need to figure out what computer they are using when they delete the file.

      We have an Active Directory domain.
      All PCs run Windows (2000/XP/Win7) and are domain members.

      I have turned on auditing and can see the account deleting the file but I don’t know of any way to get the computer account as well.

      Can it be done?

    • #29603
      CadillacGolfer
      Participant
    • #29604
      JerichoJones
      Participant

      Thanks for the link. It was informative.

      If I read this correctly I am still at square #1.Β  πŸ™

      Fron the Article:
      To recap just for a moment, when Fred logs on at his workstation for the
      first time that day, the domain controller that handles that logon will log
      event ID 672, closely followed by an event ID 673 where the Service
      Name corresponds to the computer name of Fred’s workstation.

      The key statement which seems to get glossed over is “closely followed by”. If you have many users authenticating at or near the same time the “closely followed by” is kinda useless.

      I can the username and ip from the security log but there is no way to tie them together conclusively.

      Maybe I am missing something?

    • #29605
      zeroflaw
      Participant

      Ah Active Directories..been ages for me. Can’t you just resolve the host name of the machine by pinging the local IP address. I mean, if you have the local IP that should be enough to figure out where it’s coming from.

      Well at college we have stickers with the computer names on the machines. I believe pinging the local IP with option ‘-a’ was enough to make the host name appear. Then it was really simple to figure out who did what on which machine πŸ˜›

    • #29606
      unsupported
      Participant

      @JerichoJones wrote:

      I can the username and ip from the security log but there is no way to tie them together conclusively.

      To see if the computer is logged on:
      nbtstat -a

      To find the users name, based solely on his username, then look at your local connection cache:
      net send “
      nbtstat -c

    • #29607
      BillV
      Participant

      @unsupported wrote:

      nbtstat -a

      -A

      πŸ˜‰

    • #29608
      unsupported
      Participant

      @BillV wrote:

      @unsupported wrote:

      nbtstat -a

      -A

      πŸ˜‰

      Tomato, tomatoe… :pΒ  Thanks for the catch.

    • #29609
      JerichoJones
      Participant

      All this would be fine but I am talking about a shared account.

    • #29610
      zeroflaw
      Participant

      Sorry, I don’t get it. I thought you meant shared as in multiple people can log in with the same account. So you get the IP from the machine that’s used to log in. How would you be able to figure out who’s sitting at the machine? I don’t think you can, unless you’re able to find out who used the machine at a specific time.

      You asked how to figure out which machine is being used when they delete the file.

    • #29611
      CadillacGolfer
      Participant

      I agree with ZeroFlaw, your orignal question was which computer this was coming from.Β  You now have an IP address and should be able to track it down.Β  Your audting should show when the file is deleted and which machines had logegd in using that username, then do process of elimination

    • #29612
      unsupported
      Participant

      Dust for finger prints, setup a video camera, or more serious suggestions would be to setup a key logger or review web proxy logs to see where the logged on user may have gone.

    • #29613
      rattis
      Participant

      @JerichoJones wrote:

      All this would be fine but I am talking about a shared account.

      We used to have shared accounts, but when we started getting viruses (and having to waste time cleaning the boxes), and people surfing porn with them, they didn’t last much longer. Prior to that, it was a huge fight with the company about the accounts.

    • #29614
      JerichoJones
      Participant

      Yes I am talking about a user account shared among several people.

      The crux of the issue is:

      Nothing in the event log ties a user to a computer. If I have the Same ID logging on at the same time there is no way (that I see) to tie them together conclusively.

      The computer and user both authenticate but these are seperate entries in the event log with nothing tying them together.

    • #29615
      UNIX
      Participant

      If the scenario is that many different persons use the same user account on a computer, then there should be hardly a possibility to determine which person is at the moment using the account. One solution would be a webcam which is enabled or some sort of spy cam. If you know each person very well you could analyze logs and look for visited websites etc. as you could maybe match it to a certain person.

    • #29616
      JerichoJones
      Participant

      These are students so WebCams are not an option.

      I think I may have to look at sniffing. Bummer. I don’t know squat about that.

    • #29617
      zeroflaw
      Participant

      @JerichoJones wrote:

      I can the username and ip from the security log but there is no way to tie them together conclusively.

      @JerichoJones wrote:

      The crux of the issue is:

      Nothing in the event log ties a user to a computer. If I have the Same ID logging on at the same time there is no way (that I see) to tie them together conclusively.

      You can get the user name and IP from the logs. You can tie the IP to a certain computer. Then you know the computer and user that were used to delete the files on the server. You won’t see that in the logs (as you said), but you can tie them together using the commands that were mentioned earlier in this thread. You still won’t be able to see who actually did it though.

      Maybe you can somehow monitor network activity and see who’s doing it. But you would have to come up with something to capture the event and make some kind of alarm go off, then quickly check who’s at the computer. This means you would have to catch the guy in the act.

      I would just permanently ban shared accounts. You won’t catch the guy responsible, but you will prevent this from happening again. I know you said you’re not allowed to change it, but still.

    • #29618
      unsupported
      Participant

      @awesec wrote:

      If the scenario is that many different persons use the same user account on a computer, then there should be hardly a possibility to determine which person is at the moment using the account. One solution would be a webcam which is enabled or some sort of spy cam. If you know each person very well you could analyze logs and look for visited websites etc. as you could maybe match it to a certain person.

      Wow, those are all good suggestions!Β  I wish I would have thought about that. πŸ™‚ πŸ™‚ πŸ™‚ πŸ™‚ πŸ™‚ (I’m just teasing you)

    • #29619
      Ketchup
      Participant

      I just ran a small experiment, and the IP or Computer Name did NOT appear in my Object Access audit logs.Β  Only the user name was available.Β 

      Here is what I would do:

      1.Β  Make a business case why shared user accounts are ridiculous.

      2.Β  If you fail at number 1, deploy some sort of host-based IDS to monitor sensitive directories.Β  (Tripwire, GFI, etc).

      3.Β  Write something yourself.

    • #29620
      UNIX
      Participant

      @unsupported wrote:

      Wow, those are all good suggestions! Β I wish I would have thought about that. πŸ™‚ πŸ™‚ πŸ™‚ πŸ™‚ πŸ™‚ (I’m just teasing you)

      Seems I should have read again the already given answers and not only read it once at the very beginning. :-X

Viewing 18 reply threads
  • You must be logged in to reply to this topic.

Copyright Β©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?