security auditing

[battletoad]

I have a lab which caters to about 20 people with only 12 computers, so some people have to share computers.

I've setup the systems to support concurrent logins in xp (to be used for remote desktop). Also, I've added security auditing to event viewer so that I may view [un]successful login attempts.

Now i haven't seen anything in event viewer that supplies the IPs or MACs of the computers which initiate connections to the target pc. Is there a setting which i can enable to provide me with this information?

Also, is it possible to have a batch file which can send emails (of login attempts) to my admin account (I'd set it as a startup app)? Or are there functions in command prompt (such as CURRENT TIME, TARGET IP/MAC, etc.) that I may use (then I'd set up some file sharing on my computer to do everything)? I've gone thru the NET function, but no luck yet.

Jsuk, running vanilla xp sp3.

 

[bubbatentoe]

go here: http://technet.microsoft.com/en-us/library/bb457114.aspx
and look under: "Auditing and Troubleshooting Logon and Authentication"

Then download "Network Event Viewer Log Manager Tool"
You can import event viewer logs from XP machines and sort according to "failed logon attempt".
& see who did what/when on which PC.
http://www.diskmonitor.com/downloads/nevsetup.exe

 

[werner]

from memory, if you open the logon event and scroll down you will see the ip (in type 3 event, which is a remote logon).

be aware the security logs fill up quickly like this, and eventually the user gets a message that they cant logon anymore and to contact an admin to login and clear the security log. so increase the logfile size or clear them periodically (script, whatever)

 

[battletoad]

wrote an app in c, more or less fixed up this issue. only problem is it writes to a shared network drive, so if the user is clever enough to decompile the app he/she may modify logs. more reading to do to stop that!

will have a look at that link when i'm in the office tomorrow, thanks a billion!