We have noted via SurfControl that a username which in Active Directory is a built-in account for administering the computer/domain (let's call it ABCD) is being used to browse the web; this is abnormal and we are concerned that a user also potentially has unauthorised access to folders/files.
We've tracked the activity to a current IP address, there is also some history going back about 6 weeks which shows a much lower level of activity on 3 other IP addresses; unfortunately the computer in question is in a time zone 7 hours ahead of us and comms speed is slow - average round trip on ping is circa 300ms.
I've looked at the dates on NTUSER.DAT in the ABCD folder in Documents and Settings on the computer in question, it looks as if the account hasn't been used on that computer for over 2 years. I used RegRipper to try and get more information, it confirmed the last write time but also noted that the Logon User Name is not "ABCD" but is in fact "Administrator".
I've been told that it's possible that IE can prompt for a username/password, so my questions are
1. Can IE use a diffferent username/password combination from the currently logged-on user
2. If so, are username/password combinations for IE stored anywhere and retrievable (files or Registry)?
3. Given that I previously believed that (apart from Default User, LocalService etc) each folder name in Documents and Settings is automatically given the same name as each user on the computer, how is it possible for the Logon User Name in NTUSER.DAT to be different from the name of the folder?
4. In a DHCP environment, is there a history of which IP leases were granted to which computers and when?
I suspect that I will be given the sound advice to change the password on the ABCD account, distribute it only to those who need to know it and then log unsuccessful logon attempts - but I'm afraid that this would be a last resort as ABCD is used as the logon name for a bunch of Services on number of servers (don’t shoot the messenger).
Regards
cry
I've looked at the dates on NTUSER.DAT in the ABCD folder in Documents and Settings on the computer in question
Make sure you're looking in the profile folder of the account – that is not necessarily the folder that has the same name as the account. Locally, you go from the account SID to the profile folder by checking the contents of
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>\ProfileImagePath
(Default is %SystemDrive\Document and Settings\<username> – but see also …\ProfileList\ProfilesDirectory =–but I think it could be just about anything. Don't be surprised if you find a profile in %SystemRoot%\Profiles – that seems to be standard for NT systems that were upgraded to 2k/XP. )
It's not that unusual to find different names – although it is often a related name, such as 'Account.old' or 'Account.new'.
I've been told that it's possible that IE can prompt for a username/password, so my questions are
1. Can IE use a diffferent username/password combination from the currently logged-on user
Prompt for a username/password to accomplish what? As far as I am aware, only to pass those credentials to the web site it is talking to, i.e. to log into a remote web service. That *could* be the same system, if it has a web server running. But then you should have logs from that server to check.
3. Given that I previously believed that (apart from Default User, LocalService etc) each folder name in Documents and Settings is automatically given the same name as each user on the computer, how is it possible for the Logon User Name in NTUSER.DAT to be different from the name of the folder?
You are thinking about default behaviour for user accounts – that works as you think. But check the Microsoft Knowledgebase information on User Profile for the platform you are examining (XP? 2000?). Or some good book on Windows Registry … I think Honeycutt's book mentions this. I'm fairly certain I've seen some Microsoft instruction on fixing some particular profile problem that involved creating a new profile directory,
and setting everything in the registry up manually. I also find a few by a Google search 'Move User Profile'
Alternatively, have a chat with the actual administrator of the system, if possible, and ask if there have been profile problems, and how they were fixed.
4. In a DHCP environment, is there a history of which IP leases were granted to which computers and when?
There may be. It's on the DHCP server, but it may not be configured to cover what you want. (In large enterprises, you may find DHCP logs configured to absolute minimum requirements, such as half an hour or so - i.e. the time frame within which a user calls helpdesk with a DHCP-related problem.)
I suspect that I will be given the sound advice to change the password on the ABCD account, distribute it only to those who need to know it and then log unsuccessful logon attempts - but I'm afraid that this would be a last resort as ABCD is used as the logon name for a bunch of Services on number of servers (don’t shoot the messenger).
If I understand you correctly, I would not advice you to retain the ABCD account at all – there seem to be no way of knowing for what purpose a particular login is used. Instead, I would suggest to create new separate accounts, one for each purpose, and each with appropriate privileges for that purpose. The old account should be kept but disabled.
Thanks athulin
I can follow up on most of this, except changing or disabling the ABCD account. I'll have a look-see on Monday and report back
Thanks again for the info
Regards
Depending on the authentication methods used by SurfControl and the set up of the PC's in question and how they are connecting to the network (logged in to the domain or just locally accessing network resources) it is possible that there will be authentication prompts in IE which will allow any credentials to be entered.
I'd try to correlate dates/times with other logs that might be available in respect to the IP address in question, ie DC logs and event logs off the machine. I'd also take a look at the registry and event logs from the other IP's you found.
If the user is saving the credentials (clicking on remember password in the dialogue) it should be in the PSSP in the registry I believe.