need to audit server

whutsupdoc

whutsupdoc

Master of my Domain
#1
one of my employees changed the DATE/TIME on my server (remotely via terminal server)... how do I detected who did it???

i checked the event viewer, but no indicator as too the person accessing control panel to change the time/date.

how do i prevent this from happening again :confused: :eek:
 
A

aviator

New Member
#2
Normally Administrative tools, Event Viewer, Security would post a success audit event as follows, which should give you a clue.

Process ID: 1256
Process Name: C:\WINDOWS\system32\rundll32.exe
Primary User Name: W&P
Primary Domain: WS2
Primary Logon ID: (0x0,0x104D8)
Client User Name: W&P
Client Domain: WS2
Client Logon ID: (0x0,0x104D8)
Previous Time: 17:15:17 13/04/2010
New Time: 17:15:17 13/04/2010


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Regards
 
whutsupdoc

whutsupdoc

Master of my Domain
#3
it was one of 2 people and they fessed up after i asked... said they were trying to pre-date an entry into the system.... hmmmmm

how do i prevent terminal server individuals from accessing the control panel and start button on the [email protected]!!!!
 
Midknyte

Midknyte

Caffeine Fiend
#4
Did you give them remote administration rights? If that's the case, then they'll have free range over the system. Unless you purchased a TS license on the server, remote admin is the only built-in RDP available.
 
Bink

Bink

Will moderate for food
#5
You shouldn't need to prevent access to things like the Start button or Control Panel (after all, there are plenty of ways around that restriction).

By default, only Admins can change system time. The setting is in Group Policy in User Rights Assignment. I don't have Terminal Server, so I can't give you the exact details.
 
whutsupdoc

whutsupdoc

Master of my Domain
#6
"By default, only Admins can change system time. "

yeah... that's what i though, I'm the only admin on the system... they are listed as power users, but shouldn't be able to do anything that destructive, like changing the clock or screwing with file names/types!!!
 

Associates