General discussion

Locked

NT Audit entry question

By curlyq ·
I have an audit entry by a normal user with a Successful Audit, Object Access that I'm not sure what is being accessed.
Object Open:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: DOMAINS\Account\Users\000003F2 New Handle I 1474024
Operation I {0,767851}
Process I 2158420000
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon I (0x0,____)
Client User Name: "username"
Client Domain: RYA_PDC
Client Logon I(0x0,____)
Accesses READ_CONTROL
ReadGeneralInformation
ReadPreferences
ReadLogon
ReadAccount
ListGroups

Privileges -

Can anyone tell me what is being accessed and how?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
Thread display: Collapse - | Expand +

All Comments

Collapse -

NT Audit entry question

by Rookie@NPA In reply to NT Audit entry question

Your question: Can anyone tell me what is being accessed and how?

User Manager for Domains

Check the privileges you have given to the users (just in case you have given out excess of privileges to any of your users/any admin accounts you did not disable/User accounts with lost passwords not disabled)
How many admins do you have?

This audit log clearly indicates that this is enumeration of information.

Collapse -

NT Audit entry question

by curlyq In reply to NT Audit entry question

Are you sure? Could this be mistaken as anything else, as in should I bring in a consultant? The reason I ask is the user I am tracking (and I know who it is) 'should' not be able to access the User Manager for Domains or even want to.

Collapse -

NT Audit entry question

by Rookie@NPA In reply to NT Audit entry question

You say: Comment from curlyq on 3/15/02:
Are you sure? Could this be mistaken as anything else, as in should I bring in a consultant? The reason I ask is the user I am tracking (and I know who it is) 'should' not be able to access the User Manager for Domains or even want to.

That is great. Are you the admin of this site?

If yes, try it out for yourself (set the audit rules, access User Manager - you figure out what to access !!!! and sit back for the magic !!!)

If no, Please go ahead and get a consultant.

Thanks,
Rookie

Collapse -

NT Audit entry question

by curlyq In reply to NT Audit entry question

Yes, I'm the one and only admin for the site and have seen similar entries when I access it as the administrator. Just wanted confirmation that this user was accessing it as well.

Thank you,
Q

Collapse -

NT Audit entry question

by curlyq In reply to NT Audit entry question

This question was closed by the author

Back to Security Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums