Guest Jordon Posted June 18, 2008 Posted June 18, 2008 Yesterday I posted a question about auditing file access and I got that working fine, but now that it's working I have a completely different problem. Starting last Saturday I found a few jpeg images were being edited (and backed up, and that's what started this) during times when no one was in the building. The first day it was only a few. Sunday there were a few more. More on Monday. Last night there were over 90. Nothing else on the server (Win2k SP4) that was being backed up, was something that wouldn't normally get backed up every day. So I turned on object access auditing for the folder(s) that contained the images and I found they were edited by the administrator account. We're using Norton Antivirus Corporate Edition and it looks for updates daily. I have a hardware firewall in place with every port (that I can get away with) closed. Has anyone heard about something similar to this? I've heard of viruses that destroy jpegs but as far as I can tell the only modifications to the files is their date/time stamp. TIA, -- Jordon
Guest Phillip Windell Posted June 18, 2008 Posted June 18, 2008 Re: Something is editing jpegs on my server "Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message news:1v7tme.gui.17.1@integratelecom.com... > So I turned on object access auditing for the folder(s) > that contained the images and I found they were edited > by the administrator account. Which Administrator? Local? Domain? What source machine? The log should tell you what machine the account was logged into. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Guest Jordon Posted June 18, 2008 Posted June 18, 2008 Re: Something is editing jpegs on my server Phillip Windell wrote: > "Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message > news:1v7tme.gui.17.1@integratelecom.com... >> So I turned on object access auditing for the folder(s) >> that contained the images and I found they were edited >> by the administrator account. > > Which Administrator? Local? Domain? > What source machine? The log should tell you what machine the account was > logged into. Domain administrator. This is what was in one of the audits... Event Type: Success Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 6/17/2008 Time: 10:28:36 PM User: GTI\administrator Computer: SERVER-2 Description: Object Open: Object Server: Security Object Type: File Object Name: F:\shared\Documents\Pictures\Torchlight-03\temp\Dscn0990.jpg New Handle ID: 788 Operation ID: {0,682686552} Process ID: 1180 Primary User Name: administrator Primary Domain: GTI Primary Logon ID: (0x0,0x6655971) Client User Name: - Client Domain: - Client Logon ID: - Accesses READ_CONTROL SYNCHRONIZE WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) WriteEA ReadAttributes WriteAttributes Privileges - -- Jordon
Guest Phillip Windell Posted June 18, 2008 Posted June 18, 2008 Re: Something is editing jpegs on my server "Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message news:1v8021.qga.17.1@integratelecom.com... > Phillip Windell wrote: >> Which Administrator? Local? Domain? >> What source machine? The log should tell you what machine the account >> was logged into. > Event Type: Success Audit > Event Source: Security > Event Category: Object Access > Event ID: 560 > Date: 6/17/2008 > Time: 10:28:36 PM > User: GTI\administrator > Computer: SERVER-2 And Server-2 is this same server that holds the JPGs? Assuming that is a "yes",..it means this is happening locally on the box (not from accross the network) and it is being done with domain administrator. Change the Domain Administrator Password. If this is being done by a running process such as a Service then the Service will start to fail and you will know where it is comming from. If it is the result of a wayward human then the human will scream that they can't do what it is they were doing and you will know who it was. The log entry also tells you the date and time it occured,..that is important,...if you keep track of who was working that day and time. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Guest Jordon Posted June 18, 2008 Posted June 18, 2008 Re: Something is editing jpegs on my server Phillip Windell wrote: > And Server-2 is this same server that holds the JPGs? Yes > Assuming that is a "yes",..it means this is happening locally on the box > (not from accross the network) and it is being done with domain > administrator. Yesterday, in testing object access auditing, I modified a couple of jpegs, then went to the servers security log. It showed me as the user but it showed server-2 as the computer, even though the workstation that did the edit was called station22. > Change the Domain Administrator Password. If this is being done by a > running process such as a Service then the Service will start to fail and > you will know where it is comming from. If it is the result of a wayward > human then the human will scream that they can't do what it is they were > doing and you will know who it was. The log entry also tells you the date > and time it occured,..that is important,...if you keep track of who was > working that day and time. Will tasks in the task scheduler, that are dependent on a user and password (like backup) then fail? -- Jordon
Guest Phillip Windell Posted June 19, 2008 Posted June 19, 2008 Re: Something is editing jpegs on my server "Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message news:1v8jf9.v8h.19.1@integratelecom.com... > Phillip Windell wrote: >> Assuming that is a "yes",..it means this is happening locally on the box >> (not from accross the network) and it is being done with domain >> administrator. > > Yesterday, in testing object access auditing, I modified a couple > of jpegs, then went to the servers security log. It showed me as > the user but it showed server-2 as the computer, even though the > workstation that did the edit was called station22. Ok, sorry. There is no where in the log entry where the machine you were comming from is mentioned? In any case, changing the password will most likely "weed it out" regaurdless of where it is comming from. > Will tasks in the task scheduler, that are dependent on a user and > password (like backup) then fail? Yes they will. That is why you are supposed to create specific accounts for each Task, preferably local accounts and not domain account, when possible,...and not use the Administrator for these types of things. For example I use account I created called "BackupUser" to run sheduled backups with NTBackup instead of using the Administrator Account. The same is true of running services,...they should use the built in System Account as much as possible, and when that is not possible create a special account for each service (or maybe for a group of services). The idea is to have accountability with repsect to what account something runs under and also that the account something runs under only has the bare minimum rights/privledges/permissions/scope to get the job done. With products you might purchase, a lot of products/services tell you to use the Administrator Account out of shear lazness of the product developers because they don't want to take the time to determine the minimum requirements for the product's access needs in order to give you the "specs" to create the service account yourself, or have the product's installation routines create the account for you. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Guest Jordon Posted June 19, 2008 Posted June 19, 2008 Re: Something is editing jpegs on my server Phillip Windell wrote: >> Yesterday, in testing object access auditing, I modified a couple >> of jpegs, then went to the servers security log. It showed me as >> the user but it showed server-2 as the computer, even though the >> workstation that did the edit was called station22. > > Ok, sorry. > There is no where in the log entry where the machine you were comming from > is mentioned? Nope, just said Server-2. >> Will tasks in the task scheduler, that are dependent on a user and >> password (like backup) then fail? > Yes they will. That is why you are supposed to create specific accounts for > each Task, preferably local accounts and not domain account, when > possible,...and not use the Administrator for these types of things. For > example I use account I created called "BackupUser" to run sheduled backups > with NTBackup instead of using the Administrator Account. The same is true > of running services,...they should use the built in System Account as much > as possible, and when that is not possible create a special account for each > service (or maybe for a group of services). The idea is to have > accountability with repsect to what account something runs under and also > that the account something runs under only has the bare minimum > rights/privledges/permissions/scope to get the job done. Sounds like good advice. I'll give it a go and see what happens. Thanks for the help. -- Jordon
Guest Jordon Posted June 20, 2008 Posted June 20, 2008 Re: Something is editing jpegs on my server Phillip Windell wrote: >>> Assuming that is a "yes",..it means this is happening locally on the box >>> (not from accross the network) and it is being done with domain >>> administrator. I changed the domain administrators password yesterday. No difference. The date/time on various jpegs are still being changed. >> Will tasks in the task scheduler, that are dependent on a user and >> password (like backup) then fail? > > Yes they will. And they did. I created a "Backup" user and assigned him to the Backup Operators group and used that user and password in the task scheduler for backups, but the backup still failed. I ended up with a backup file that had nothing in it and no backup log. Not sure why. Today I'm going to move the jpegs off of that drive to a different one with limited access and see what happens. -- Jordon
Guest Phillip Windell Posted June 20, 2008 Posted June 20, 2008 Re: Something is editing jpegs on my server "Jordon" <jordon@REMOVETHISgrahamtrucking.com> wrote in message news:1vdqa7.96k.19.1@integratelecom.com... > And they did. I created a "Backup" user and assigned him to the Backup > Operators group and used that user and password in the task scheduler > for backups, but the backup still failed. I ended up with a backup file > that had nothing in it and no backup log. Not sure why. Look in the event log. The Security section in particular. Either the Backup job didn't run,... ...or it ran but the account couldn't access the Files to perform the backup. Either case should generate an Event Log entry. With no backup log the account could not write the backup log file. The log file is kept in the user account profile for that account. Log on to the machine interactively with that account to create the user profile,...look there for the log next time. Maybe it is really there and it ran,..and you just missed it. If the user account is called "BackupUser" the the log files will be in: c:\Documents and Settings\BackupUser\Local Settings\Application Data\Microsoft\Windows NT\NTBackup\data -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Recommended Posts