On 11/3/07, Scott Ehrlich <[EMAIL PROTECTED]> wrote: > I reviewed the event viewer on a Windows XP machine, fully patched, that > is on an isolated LAN, and discovered a single logoff from a user account > at an unusual hour. Just a few hours before that event, another user > shows a login/logout at a normal time.
> The configuration is a RedHat Enterprise 5 Server configured as a Samba > Windows > NT 4 domain, and Windows XP w/SP2 workstations as members. > Security is maintained tighly as I'm currently the only one with root/admin > rights. Everyone else is a general user. If you have reason to suspect malicious activity I'd look extremely closely at your password policy. What mechanism defines and ensures minimum length/complexity? I seem to remember you being interested in unifying logins between linux hosts and windows hosts. Did you ever end up doing that? Can users log into your RHEL machine? How was the configuration as an NT4 domain accomplished? What is the backend? tdbsam or ldap? If tdbsam, are the security bits the file set so it can only be read by the samba daemon? If ldap, are you using the smb-ldap scripts from padl? Are the ACLs on the ldap server setup to only allow read access to records' (unsalted) sambaLMPassword and sambaNTpassword attributes? Are you using NIS? I've never understood why redhat and friends encourage NT4 style domain controllers running samba. Even Microsoft had the sense to move away from that back in 2000. All that being said, the event is probably benign. > What _might_ cause that one user to show a bizarre logout-only entry, and a > bizarre time? What does the local security policy for the XP machines look like? My guest is that It's most likely a remote client "disconnecting" from accessing a share or something. Logon events are generated every time a user authenticates, Logoff events are a courtesy.... here's an example of a scenario where strange looking logs are generated: Bob logs into workstation (authenticates) , goes to bathroom. Password protected screensaver kicks on. Bob comes back and unlocks screen saver. (authenticates) Bob trips over power cord on way to lunch, powering the machine off Bob plug machine back in, logs on (authenticates), makes sure his work is okay, goes to lunch. Bob comes back, unlocks screen saver, (authenticates) does some more work Bob logs off and goes home. The event log will look like: User bob logon User bob logon User bob logon User bob logon User bob logoff > I'll also check my samba logs to see if they show anything. Doubtful > Thanks for any insights. > > Scott -s _______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
