[BBLISA] Unusual date/time for Windows logout event

Sean OMeara someara at gmail.com
Sat Nov 3 14:55:10 EDT 2007 

On 11/3/07, Scott Ehrlich <scott at mit.edu> wrote:
> I reviewed the event viewer on a Windows XP machine, fully patched, that
> is on an isolated LAN, and discovered a single logoff from a user account
> at an unusual hour.  Just a few hours before that event, another user
> shows a login/logout at a normal time.

> The configuration is a RedHat Enterprise 5 Server configured as a Samba Windows
> NT 4 domain, and Windows XP w/SP2 workstations as members.
> Security is maintained tighly as I'm currently the only one with root/admin
> rights.   Everyone else is a general user.

If you have reason to suspect malicious activity I'd look extremely
closely at your password policy.

What mechanism defines and ensures minimum length/complexity?

I seem to remember you being interested in unifying logins between
linux hosts and windows hosts. Did you ever end up doing that? Can
users log into your RHEL machine?

How was the configuration as an NT4 domain accomplished?
What is the backend? tdbsam or ldap?

If tdbsam, are the security bits the file set so it can only be read
by the samba daemon?

If ldap, are you using the smb-ldap scripts from padl?
Are the ACLs on the ldap server setup to only allow read access to
records' (unsalted) sambaLMPassword and sambaNTpassword attributes?

Are you using NIS?

I've never understood why redhat and friends encourage NT4 style
domain controllers running samba. Even Microsoft had the sense to move
away from that back in 2000.

All that being said, the event is probably benign.

> What _might_ cause that one user to show a bizarre logout-only entry, and a
> bizarre time?

What does the local security policy for the XP machines look like?
My guest is that It's most likely a remote client "disconnecting" from
accessing a share or something.

Logon events are generated every time a user authenticates, Logoff
events are a courtesy.... here's an example of a scenario where
strange looking logs are generated:

Bob logs into workstation (authenticates) , goes to bathroom.
Password protected screensaver kicks on.
Bob comes back and unlocks screen saver. (authenticates)
Bob trips over power cord on way to lunch, powering the machine off
Bob plug machine back in, logs on (authenticates), makes sure his work
is okay, goes to lunch.
Bob comes back, unlocks screen saver, (authenticates) does some more work
Bob logs off and goes home.

The event log will look like:
User bob logon
User bob logon
User bob logon
User bob logon
User bob logoff

> I'll also check my samba logs to see if they show anything.

Doubtful


> Thanks for any insights.
>
> Scott

-s

More information about the bblisa mailing list