none
Logon process: NtLmSsp

    Question

  •  Hi,

    I've an Oracle database server running on Windows 2003 server to which the access is totally restricted.  But, for the first time i saw a login record, in the security log, for a user as given below: 

    Type: Success Audit
    Event ID: 540

    User: mydomain\username
    Computer: database server

    Logon type: 3
    Logon process: NtLmSsp

    This user doesn't have permission to access the database server.  Is this a security bypass? Can anybody help me in understanding the situation?

    Saturday, November 15, 2008 7:25 AM

Answers

  •  

    Hi,

     

    Current information is not enough for us to draw conclusion.  Please check if there are Events in Event Log about this user and if there are Event 540 for other users.

     

    Logon Type 3 is network logon.  NTLMSSP (NT LAN Manager Security Support Provider) is a security support provider that is available on all versions of DCOM. It uses the Microsoft Windows NT LAN Manager (NTLM) protocol for authentication.

     

    The Event ID 540 means the mydomain\username passed the NLM authentication of database server computer. But it doesn’t mean this user have access to your confidential data.

     

    Authentication is the process to determine "who the user are". Authorization is the process to determine "what the user can do".

     

    If the user passed authentication but didn’t get authorization, he still cannot access your Oracle database.

     

    Please let us know your exact restrict settings.

     

    Do you restrict remote access to the server or access to Oracle database?

     

    If you would like to block remote access to the server, you should customize the "Access this computer from the network" Policy and give access right to users/computers permitted. By default, everyone are allowed to connect to the computer over the network.

     

    Please check if there is any sharing file using "net share" command. If your Oracle database server is a Domain Controller, SYSVOL folder was shared by default.

     

    Let us know the detailed checking result if the issue persists.

     

    Thanks

    Monday, November 17, 2008 9:03 AM
    Moderator