Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

 

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: [ActiveDir] Mapping users to IP address
Prev Next
You are not authorized to post a reply.

AuthorMessages
neil.ruston@credit-suisse.comUser is Offline

Posts:0

06/29/2009 10:59 AM  
Hi,

We have a requirements to provide user to IP address mapping
functionality. I.e. for a given user name, provide a list of IP
addresses used by that user in the last n days.

We already use the snare agent and the Sensage product to capture and
store security event log detail from all DCs.

Current DC spec is w2k3 with SP0 or SP1. [yes, I know this is very out
of date!]
Future DC spec will be w2k8 ⏌ bit].

Questions:
What detail is stored in a user logon event on a w2k3 DC? Is workstation
and IP address included?
What additional detail [if any] is stored in a user logon event on a
w2k8 DC? Is workstation and IP address included?

I'm eager to use the existing snare agent and not install another agent
just to meet this requirement.

Any thoughts / comments?

Thanks,
neil

===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================


oscarsotoclUser is Offline

Posts:6

06/29/2009 5:17 PM  
Hi Neil:

In Windows 2008 you can obtain the following attributes in security event 4624:
Security ID (Machine account or user account)
Machine Name or Account Name
Machine Domain or Account Name
Machine IP and Source Port used to connect to server

If I'm not wrong you can get the same info in windows 2003, maybe not the source port I think

Hope this helps you

Oscar Soto Casali
MVP Directory Services


De: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] En nombre de Ruston, Neil
Enviado el: lunes, 29 de junio de 2009 5:58
Para: activedir@mail.activedir.org
Asunto: [ActiveDir] Mapping users to IP address


Hi,

We have a requirements to provide user to IP address mapping functionality. I.e. for a given user name, provide a list of IP addresses used by that user in the last n days.

We already use the snare agent and the Sensage product to capture and store security event log detail from all DCs.

Current DC spec is w2k3 with SP0 or SP1. [yes, I know this is very out of date!]

Future DC spec will be w2k8 ⏌ bit].

Questions:

What detail is stored in a user logon event on a w2k3 DC? Is workstation and IP address included?

What additional detail [if any] is stored in a user logon event on a w2k8 DC? Is workstation and IP address included?

I'm eager to use the existing snare agent and not install another agent just to meet this requirement.

Any thoughts / comments?

Thanks,

neil

==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================


andrewUser is Offline

Posts:77

06/29/2009 5:29 PM  
I may be stating the obvious but you can capture these and many other
variables in logon / logoff scripts with output piped to text files.
Possibly a bit too simple for some, but it works.
Thanks.
Andrew

2009/6/29 Oscar Soto Casali <oscar.soto@activetrainer.cl>

> Hi Neil:
>
>
>
> In Windows 2008 you can obtain the following attributes in security event
> 4624:
>
> Security ID (Machine account or user account)
>
> Machine Name or Account Name
>
> Machine Domain or Account Name
>
> Machine IP and Source Port used to connect to server
>
>
>
> If I’m not wrong you can get the same info in windows 2003, maybe not the
> source port I think
>
>
>
> Hope this helps you
>
>
>
> Oscar Soto Casali
>
> MVP Directory Services
>
>
>
>
>
> *De:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *En nombre de *Ruston, Neil
> *Enviado el:* lunes, 29 de junio de 2009 5:58
> *Para:* activedir@mail.activedir.org
> *Asunto:* [ActiveDir] Mapping users to IP address
>
>
>
> Hi,
>
> We have a requirements to provide user to IP address mapping functionality.
> I.e. for a given user name, provide a list of IP addresses used by that user
> in the last n days.
>
> We already use the snare agent and the Sensage product to capture and store
> security event log detail from all DCs.
>
> Current DC spec is w2k3 with SP0 or SP1. [yes, I know this is very out of
> date!]
>
> Future DC spec will be w2k8 ⏌ bit].
>
> Questions:
>
> What detail is stored in a user logon event on a w2k3 DC? Is workstation
> and IP address included?
>
> What additional detail [if any] is stored in a user logon event on a w2k8
> DC? Is workstation and IP address included?
>
> I’m eager to use the existing snare agent and not install another agent
> just to meet this requirement.
>
> Any thoughts / comments?
>
> Thanks,
>
> neil
>
>
>
>
> ==============================================================================
> Please access the attached hyperlink for an important electronic
> communications disclaimer:
> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
>
> ==============================================================================
>
>
>

neil.ruston@credit-suisse.comUser is Offline

Posts:0

06/29/2009 5:35 PM  
I already use the snare agent and SenSage so wanted to know if we're
already capturing enough info to meet the req. Would rather not create
another solution to meet the req J



neil



From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Andrew Levicki
Sent: 29 June 2009 17:29
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Mapping users to IP address



I may be stating the obvious but you can capture these and many other
variables in logon / logoff scripts with output piped to text files.
Possibly a bit too simple for some, but it works.



Thanks.

Andrew

2009/6/29 Oscar Soto Casali <oscar.soto@activetrainer.cl>

Hi Neil:



In Windows 2008 you can obtain the following attributes in security
event 4624:

Security ID (Machine account or user account)

Machine Name or Account Name

Machine Domain or Account Name

Machine IP and Source Port used to connect to server



If I'm not wrong you can get the same info in windows 2003, maybe not
the source port I think



Hope this helps you



Oscar Soto Casali

MVP Directory Services





De: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] En nombre de Ruston, Neil
Enviado el: lunes, 29 de junio de 2009 5:58
Para: activedir@mail.activedir.org
Asunto: [ActiveDir] Mapping users to IP address



Hi,

We have a requirements to provide user to IP address mapping
functionality. I.e. for a given user name, provide a list of IP
addresses used by that user in the last n days.

We already use the snare agent and the Sensage product to capture and
store security event log detail from all DCs.

Current DC spec is w2k3 with SP0 or SP1. [yes, I know this is very out
of date!]

Future DC spec will be w2k8 ⏌ bit].

Questions:

What detail is stored in a user logon event on a w2k3 DC? Is workstation
and IP address included?

What additional detail [if any] is stored in a user logon event on a
w2k8 DC? Is workstation and IP address included?

I'm eager to use the existing snare agent and not install another agent
just to meet this requirement.

Any thoughts / comments?

Thanks,

neil



========================================================================
======
Please access the attached hyperlink for an important electronic
communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
========================================================================
======






===============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
===============================================================================


andrewUser is Offline

Posts:77

06/29/2009 7:05 PM  
apologies, ok.

2009/6/29 Ruston, Neil <neil.ruston@credit-suisse.com>

> I already use the snare agent and SenSage so wanted to know if we’re
> already capturing enough info to meet the req. Would rather not create
> another solution to meet the req J
>
>
>
> neil
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Andrew Levicki
> *Sent:* 29 June 2009 17:29
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Mapping users to IP address
>
>
>
> I may be stating the obvious but you can capture these and many other
> variables in logon / logoff scripts with output piped to text files.
> Possibly a bit too simple for some, but it works.
>
>
>
> Thanks.
>
> Andrew
>
> 2009/6/29 Oscar Soto Casali <oscar.soto@activetrainer.cl>
>
> Hi Neil:
>
>
>
> In Windows 2008 you can obtain the following attributes in security event
> 4624:
>
> Security ID (Machine account or user account)
>
> Machine Name or Account Name
>
> Machine Domain or Account Name
>
> Machine IP and Source Port used to connect to server
>
>
>
> If I’m not wrong you can get the same info in windows 2003, maybe not the
> source port I think
>
>
>
> Hope this helps you
>
>
>
> Oscar Soto Casali
>
> MVP Directory Services
>
>
>
>
>
> *De:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *En nombre de *Ruston, Neil
> *Enviado el:* lunes, 29 de junio de 2009 5:58
> *Para:* activedir@mail.activedir.org
> *Asunto:* [ActiveDir] Mapping users to IP address
>
>
>
> Hi,
>
> We have a requirements to provide user to IP address mapping functionality.
> I.e. for a given user name, provide a list of IP addresses used by that user
> in the last n days.
>
> We already use the snare agent and the Sensage product to capture and store
> security event log detail from all DCs.
>
> Current DC spec is w2k3 with SP0 or SP1. [yes, I know this is very out of
> date!]
>
> Future DC spec will be w2k8 ⏌ bit].
>
> Questions:
>
> What detail is stored in a user logon event on a w2k3 DC? Is workstation
> and IP address included?
>
> What additional detail [if any] is stored in a user logon event on a w2k8
> DC? Is workstation and IP address included?
>
> I’m eager to use the existing snare agent and not install another agent
> just to meet this requirement.
>
> Any thoughts / comments?
>
> Thanks,
>
> neil
>
>
>
>
> ==============================================================================
> Please access the attached hyperlink for an important electronic
> communications disclaimer:
> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
>
> ==============================================================================
>
>
>
>
>
>
> ==============================================================================
> Please access the attached hyperlink for an important electronic
> communications disclaimer:
> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
>
> ==============================================================================
>
>

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Mapping users to IP address



ActiveForums 3.7
Friends

Friends

VisualClickButoton
Members

Members

MembershipMembership:
Latest New UserLatest:MrPTSai
New TodayNew Today:0
New YesterdayNew Yesterday:0
User CountOverall:5234
People OnlinePeople Online:
VisitorsVisitors:42
MembersMembers:0
TotalTotal:42
Online NowOnline Now:

Ads

Copyright 2009 ActiveDir.org
Terms Of Use