audit trail of sessions connected to your computer
When Vista loads, a net start server command is run. This basically shares (by default) your C drive (c$) to the entire world. IF an admin wants to access your c: drive, he/she only has to do a net use to this computer. QUESTION - is there any way to turn on an audit log to record these sessions to my computer (laptop)? I initially thought this was recorded in the event viewer - but this is not the case. Thanks for any help.
February 28th, 2008 8:51pm
Hi rjmjr,
You can check the information by using the security log in Event Viewer. A logon event 4624 will be generated in the security log when an account is successfully logged on, and the logon type is 3 for network logon.
Ive also included an sample event for your reference:
==============================
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: TEST\aa
Account Name: aa
Account Domain: TEST
Logon ID: 0x23b4ebba
Logon GUID: {8B91EEF1-331C-40A1-82A6-6FEABF62FE9D}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: 192.168.1.209
Source Port: 50093
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
In addition, to audit the logon information, please ensure that the audit policies audit account logon events and audit logon events are enabled.
Hope it helps.
Sincerely,
Joson Zhou
Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2008 9:30am
Thank you - you are correct. I suppose this is a benefit over XP - and - as I went back to my testing scenario - i was doing a net use to a XP machine - and that is where the problem really is - XP does record the login session - but it does not record the name of the machine in the security id. Thank you for your help. I will mark the question as answered.
March 3rd, 2008 7:15pm