Networks·41,424 discussions

Unauthorized log in

Locked

We have a 2003 server that is a domain controller. Recently I have noticed some local user profiles listed under documents and setting. My concern is that someone is getting on our server . What is odd is the user profile only has a few items in it. It doesn’t have all the folders and files that the default user profile has. The profile has the following.

Folders:
Cookies
Application Data
Local Settings

Files:
NTUser.dat
NTUser.dat.log

Any thoughts on why a user profile would exist on this server? I am concerned they are somehow getting a (lite) login possible through some haccking tool. Has anyone else seen or experienced this problem?

I have checked the security on the server and they should not be able to get in. This server is not a terminal server either.

Any help or thoughts would be appreciated.

Topic

Give examples of the logon names.

In reply to Unauthorized log in

Are the similar to real logon names?

Change them an needed but give everybody a clue.

Perhaps you should post this a a question to gain more exposure.

login types

In reply to Give examples of the logon names.

Thge logon names are of students in our district. We use numeric logons for students. Essentially it is there student id. I have noticed the same user has gotten in (possibly) on several dates. Any thoughts?

Does anyone else have access to the servers?

In reply to login types

If so, it is likely that someone was creating profiles as local instead of domain, and that they have not used these profiles to log in yet.

Server room is secure

In reply to Does anyone else have access to the servers?

Our server room is secure. We believe this is happening remotely. I have tried to get in through remote desktop with limited user accounts and have been unable to login. I have also checked the particular user logins and they have limited rights too.

Remote

In reply to Server room is secure

is it behind a firewall – do you have logs that can look over – see where the logon may be coming from?

Logs and firewall

In reply to Remote

We believee the problem is internal. Possibly in one of the student computer labs. We are behind a firewall and have checked the available logs. (Internet, AD, Local, Etc…)

I am curious if anyone has seen this before. Possibly using a hacking tool or someother method.

Thanks again….

windows problem

In reply to Give examples of the logon names.

I have a choice of two operating systems when staring windows xp although I only have one install (as far as I know) also my name is down as guest and admin I recently had a hhd failure and reinstalled windows net framework cannot be installed and in doc and setting I have two admin files I think I need to clean it up but unsure what to do under my admin name i have no application data for netframework it is in the other admin folder any solutions would be a great help regards sandra

Did you check the local logon policy?

In reply to Unauthorized log in

Under Default Domain Controller Security Settings?

local login policy

In reply to Did you check the local logon policy?

Checks out OK.

The policy is set to only allow admins and domain admins

Are you running Terminal Services?

In reply to Unauthorized log in

If so, you’ll get a D & S directory for each user who connects via TS.

[Author]

Replies