Logging user login attempts

A

Asha'man X

Expert Member
Joined
Aug 31, 2006
Messages
1,401
Reaction score
23
Location
Cape Town
Hey everyone.

I've run into a rather interesting problem. I was asked to start logging user logins on the school network, as there was a recent breach by a student who got hold of exam papers and memo's.

Our network is Windows Xp based, with a Windows 2003 server in a domain.

I've used group policy to set up so that user logons and logoffs are recorded, but it appears to work at the workstation level only. We would like those records to display on the server instead, so that we can see who logged on where and when.

Could I be missing a setting in group policy somewhere? The setting I enabled was under Compuer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.

I'd greatly appreciate any help please.

Thanks :)
 
Asha'man X said:
Hey everyone.

I've run into a rather interesting problem. I was asked to start logging user logins on the school network, as there was a recent breach by a student who got hold of exam papers and memo's.

Our network is Windows Xp based, with a Windows 2003 server in a domain.

I've used group policy to set up so that user logons and logoffs are recorded, but it appears to work at the workstation level only. We would like those records to display on the server instead, so that we can see who logged on where and when.

Could I be missing a setting in group policy somewhere? The setting I enabled was under Compuer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy.

I'd greatly appreciate any help please.

Thanks :)
Click to expand...

Yep, should work. Where are you applying this policy. Top level or OU based? You would need to enable this on the DC as well.

http://technet.microsoft.com/en-us/library/cc787567.aspx

http://technet.microsoft.com/en-us/library/cc787268.aspx

Curious, how did the student gain access? which account was used? Is a lockout set on certain number of invalid login attempts?
 
Do you force password length and content? Do you force periodic password changes?

These are a couple of things which will help enforce security. Unfortunately, with higher levels of security, come higher levels of administration.
 
Good luck with playing policeman. (I hate doing that)

You can also look at the event log on the server (in the security log IIRC)- this will also show user logon/authentication/logoff events, but is very sparse.

Enforced periodic password changes do sound good and helps to an extent, but if you get an id10t who keeps on forgotting his/her/its password, then you'll have some issues with that...
 
Thanks for the replies everyone, most appreciated.

I'm not sure how exactly the student got hold of papers, if they actually did. All the school's investigations by principal and so on turned up nothing as far as I'm aware. If the student did get hold of it, it's most likely due to a staff member staying logged on somewhere, or telling the student their password.

I had enforced the policy of periodic password changes at one point, with a fairly spaced out number of days, but management ordered me to take it off as people hated being forced to change passwords. I protested and warned them, but they didn't listen. Now it seems they will want it for next year, but that is a job for the new IT admin to handle.

Thanks for the links AvOk, I'm checking them out now. That should give me the info I need so that I can get the login results displayed on the server. I will also experiment is some virtual machines.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X