firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Getting windows user name? (Fetch, Brandon)
2. Re: Getting windows user name? (Behm, Jeff)
3. Re: Getting windows user name? (lordchariot@embarqmail.com)
----------------------------------------------------------------------
Message: 1
Date: Thu, 9 Sep 2010 14:43:03 -0500
From: "Fetch, Brandon" <bfetch@tpg.com>
Subject: Re: [fw-wiz] Getting windows user name?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.cybertrust.com>
Message-ID:
<A22AB7AA11C57342918639C100566F244E20213278@TXMAIL.texpac.com>
Content-Type: text/plain; charset="us-ascii"
Best guess:
A query of the domain controller that processed that user's login requests from said computer.
I know there's a parameter/field that's updated with when & from where a user was authenticated however that implies the use of a domain & said controllers: entirely useless for a stand-alone system.
I'm afraid you're going to be stuck using a direct query to the host (nbtstat -a) or via the other tools that have been suggested (SysInternal options).
Best of luck,
Brandon
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of ArkanoiD
Sent: Thursday, September 09, 2010 7:20 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Getting windows user name?
Any chance to do that either
-- without netbios queries, via ldap
-- without requesting info from workstation itself, from AD directly?
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
This message is intended only for the person(s) to which it is addressed
and may contain privileged, confidential and/or insider information..
If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Any disclosure, copying, distribution, or the taking of any action concerning
the contents of this message and any attachment(s) by anyone other
than the named recipient(s) is strictly prohibited.
------------------------------
Message: 2
Date: Thu, 9 Sep 2010 08:22:02 -0500
From: "Behm, Jeff" <jbehm@burnsmcd.com>
Subject: Re: [fw-wiz] Getting windows user name?
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7F611EB6D6C2064883F59190F87FFD620F86680337@BMCDMAIL01.burnsmcd.com>
Content-Type: text/plain; charset="us-ascii"
On Thursday, September 09, 2010 6:20 AM, ArkanoiD said:
>Any chance to do that either
>
>-- without netbios queries, via ldap
>-- without requesting info from workstation itself, from AD directly?
It would appear there has to be some way to do it directly from AD as our Websense installation seems to be doing it.
Websense can be configured to poll AD directly and/or the workstations themselves to determine who is logged on (or at least, a close approximation of who last authenticated from a given PC).
We currently have Websense set up to only poll AD to get that information(leaving the workstations alone) and it builds an array of usernames -> IP address mapping(which you can dump out with one of their supplied tools(consoleclient.exe, for those with websense that might be interested)).
Therefore, I would say that there *has* to be some way to get the "last authenticated" username from a machine, directly from AD, if all you have is an IP address.
I have not tried to dig into exactly where AD is keeping that information...
Jeff
------------------------------
Message: 3
Date: Thu, 9 Sep 2010 11:25:50 -0400
From: <lordchariot@embarqmail.com>
Subject: Re: [fw-wiz] Getting windows user name?
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>, "'Firewall Wizards Security
Mailing List'" <firewall-wizards@listserv.cybertrust.com>
Message-ID: <000301cb5033$492e8210$db8b8630$@com>
Content-Type: text/plain; charset="us-ascii"
Some vendors will install agents on various AD servers to cull the
information from the security logs and correlate them with last-logged-on
user information from the those same logs. Unfortunately, there doesn't
appear to be a single log entry in AD that has both user and IP address,
hence the need for correlation.
As a comparison, you can LDAP query Novell eDirectory for an IP and it will
return the username logged, but alas, not in AD.
erik
> -----Original Message-----
> From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-
> wizards-bounces@listserv.icsalabs.com] On Behalf Of ArkanoiD
> Sent: Thursday, September 09, 2010 7:20 AM
> To: Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] Getting windows user name?
>
> Any chance to do that either
>
>
> -- without netbios queries, via ldap
> -- without requesting info from workstation itself, from AD directly?
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 53, Issue 6
***********************************************
No comments:
Post a Comment