Is there a way by looking at the event logs on a Windows XP machine to show an event for that machine connecting to a particular server? I know also to look at link files and MRU files to see if any of the paths are on that server, but I was checking to see if there was an event recorded when a user connects to a particular server or a write in registry that is recorded, thanks in advance.
Logging on server was disabled
Pronie,
To the best of my knowledge, there are no such events recorded in the Event Log; however, there is information recorded in the Registry, particularly within the hive file for the user. RegRipper includes a plugin to check the MountPoints2 entries. There are also keys available for things such as Terminal Services client connections.
HTH
Thank you for the help
I agree with Harlan. How do you define "connect to a server"? The type of connection that you suspect would help you to identify what to look for as artifacts.
basically to show at in any point in time the user established a connection with the server and would have access to the materials located on that server. I know it is not very in depth this questions was brought in from a detective working on a case. They have said that there are no link files referencing a path to the server as well the most recently used office files. I have referred Harlan's RegRipper for them to use possibly to check for mapped network drives, etc. Thanks.
basically to show at in any point in time the user established a connection with the server and would have access to the materials located on that server.
I think what Sean's referring to is the method of connection…mapped shares is only one. There's Terminal Services, VNC, etc. Was the server running IIS and MS SQL, and did the user use SQL injection?
Is there a way by looking at the event logs on a Windows XP machine to show an event for that machine connecting to a particular server? I know also to look at link files and MRU files to see if any of the paths are on that server, but I was checking to see if there was an event recorded when a user connects to a particular server or a write in registry that is recorded, thanks in advance.
Logging on server was disabled
You probably need to secure all DC security logs for the time in question as well.
You may find authentication events from the server (which indicates that the user is trying to gain access), or logs about kerberos service tickets for the server (which is not a 100% guarantee that they were used, of course, but may be taken as an indication of intent to do so).
This stuff is covered in reasonably great detail in for instance Windows Security Server 2003 Securty Log Revealed by Randy Franklin Smith.
I can't find any obvious mention that server access is logged on the client, though.
Thank you I will refer this information along, much appreciated.



