Jump to content


Photo

ALE Service Account


  • Please log in to reply
7 replies to this topic

#1 wedefelt

wedefelt

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 19 September 2014 - 07:59 AM

Hi,

We have stumbled upon a strange issue with the service account that is used for the Account Lockout Examinator.

On a computer where the ALE has been installed the service account shows up as the account responsable for generating a lot of web traffic in the application we use to monitor our web traffic, Websense.

The user which has ALE installed, logs on to the computer with his user account, starts ALE with his admin account and the leaves the console of ALE open while he does other things on his computer. As this is a computer from the support staff they have time to surf the web and look at different streaming pages inbetween calls. Although this is the user on the computer that surfs thw web and looks at streaming services in Websense it shows that it is the service account responsable for generating this traffic.

I thought that perhaps the service account was running some other processes on the computer besides for ALEService.exe, but the service account only shows up registered to this service and none of the other services/processess is registered with the service account.

Any ideas or suggestions why this is happening?

Regards

Anderz

#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 19 September 2014 - 03:08 PM

wedefelt,

Is the user by chance logging in with the service account? The Account Lockout Examiner shouldn't need access to the internet at all. Do you have any specifics on what kind of web traffic is being generated? I assume you aren't talking about network traffic as the product can be known to generate quite a bit of that if collecting security logs from workstations.

-Jeff

#3 wedefelt

wedefelt

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 22 September 2014 - 07:11 AM

Hi Jeff,

No, the user does not log in with the service account. I can get more specific details on the web traffic that is registered under the service account, I have to get it from a colleague of mine working with Websense. I'll talk to him today and post the information later on.

TIA

Anderz

#4 wedefelt

wedefelt

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 22 September 2014 - 08:59 AM

Hi Jeff,

Se below, I have copied this from the report produced from Websense, since I can't seem to find a way to add an attatchment to the post...

User: NetWrix ALE, Service [netwrixale] > URL Hostnanme [Period: 2014-09-09 >> 2014-09-22] 2014-09-22 10:44:03

URL Hostname Bandwidth [KB]
download.microsoft.com 3,545,598
svt03-lh.akamaihd.net 1,365,829
cs543406v4.vk.me 1,131,319
cs541405v4.vk.me 1,112,871
svtplay11d-f.akamaihd.net 899,910
svtplay6m-f.akamaihd.net 692,971
svtplay17a-f.akamaihd.net 612,003
80.239.254.159 603,132
80.239.254.166 601,086
svtplay5j-f.akamaihd.net 552,140
svtplay4b-f.akamaihd.net 525,969
svtplay8c-f.akamaihd.net 350,856
r4---sn-uxap5nvoxg5-5gol.googlevideo.com 319,264
80.239.254.156 244,908
svtplay2c-f.akamaihd.net 190,025
37.77.190.143 173,221
72.3.131.241 132,329
r1---sn-uxap5nvoxg5-5goe.googlevideo.com 106,553
31.13.71.7 101,754
199.16.156.201 100,640
r3---sn-uxap5nvoxg5-5gol.googlevideo.com 88,264
31.13.71.23 86,596
tv4playhds-f.akamaihd.net 85,285
173.252.100.27 76,574
cdn2.teads.tv 75,604
r8---sn-uxap5nvoxg5-5goe.googlevideo.com 75,408
23.223.26.224 74,555
www.svt.se 71,449
23.212.108.142 70,663
31.13.71.71 67,301
74.125.232.238 64,088
37.77.191.148 61,830
80.239.230.215 54,878
23.212.108.169 53,113
23.212.108.129 51,212
31.13.71.87 50,818
cdn.flashtalking.com 49,991
r5---sn-uxap5nvoxg5-5gol.googlevideo.com 47,279
23.212.108.113 46,816
217.146.31.6 46,057
svtplay16k-f.akamaihd.net 43,173
s.ytimg.com 40,873
r2---sn-uxap5nvoxg5-5gol.googlevideo.com 40,834
80.239.217.128 40,711
199.16.156.52 39,739
78.41.244.66 38,755
c0.cdn.hittahem.se 38,598
downloadmirror.intel.com 35,912
www.blocket.se 34,998
r7---sn-uxap5nvoxg5-5gol.googlevideo.com 34,691
s1.adform.net 34,645
svtplay13a-f.akamaihd.net 34,561
23.212.108.112 31,962
www.svd.se 31,444
r3---sn-uxap5nvoxg5-5goe.googlevideo.com 29,112
ads.aftonbladet.se 28,860
www.dn.se 28,591
aftonbladet-vod.dcp.adaptive.level3.net 26,884
ftp.sunet.se 25,688
23.212.108.120 24,912
sydkustloppet.se 24,622
23.212.108.94 24,268
fusion.adtoma.com 23,823
23.212.108.111 23,558
23.212.108.134 23,105
23.212.108.104 22,775
r8---sn-uxap5nvoxg5-5gol.googlevideo.com 22,578
80.156.249.31 22,454
74.125.232.225 22,136
www.telenor.se 22,062
r7---sn-uxap5nvoxg5-5goe.googlevideo.com 21,615
static.hitta.se 20,582
mds3.pliing.com 20,552
kent.dl.sourceforge.net 20,450
213.155.151.144 20,210
fusion.dn.se 20,002
system2.byggnet.com 19,802
74.125.232.248 18,797
d2.dn-static.se 18,396
74.125.232.247 18,212
dn-se.c.richmetrics.com 18,082
www.facebook.com 18,058
193.44.164.158 17,727
pagead2.googlesyndication.com 17,630
www.tv.nu 17,421
bn-01.adtomafusion.com 17,238
d1.dn-static.se 17,193
supportknappen.se 17,193
r6---sn-uxap5nvoxg5-5goe.googlevideo.com 16,691
h20566.www2.hp.com 15,746
23.212.108.89 15,631
129.178.53.12 15,538
fusion.cheaposaurus.se 15,233
track.adform.net 15,025
i.ytimg.com 14,927
www.lajkat.se 14,807
23.212.108.143 14,060
compass.surface.com 13,902
193.12.20.12 13,551
r2---sn-uxap5nvoxg5-5goe.googlevideo.com 13,455
195.12.232.155 13,344
oas.dn.se 13,091
www.karlssonuddare.se 13,081
207.123.51.9 12,368
23.212.108.167 12,143
letsdeal-splashes.s3.amazonaws.com 11,985
www.stockholmsmarknader.se 11,959
ad.360yield.com 11,888
23.212.108.126 11,776
cdn.vidible.tv 11,507
040ed86fc6b8c8a6e10d9eb8fdb081e4.httpcache0.03837-httpcache0.dna.qbrick.com 11,344
8.254.101.27 11,279
d1c79260aeb0ef15488f60c5fd78a032.httpcache0.03837-httpcache0.dna.qbrick.com 11,243
23.212.108.137 11,222
aka-cdn-ns.adtech.de 11,141
74.125.232.231 10,870
www.santattoomalmo.se 10,821
68.232.35.139 10,770
74.125.232.232 10,616

#5 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 23 September 2014 - 11:52 AM

wedefelt,

There is a lot of information there and i'm not 100% sure how to interpret it but i see some google video traffic and some facebook as well as some .de sites. I apologize but that looks like a users traffic to me and not software.

-Jeff

#6 wedefelt

wedefelt

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 23 September 2014 - 12:06 PM

Correct, it is user traffic. But for some reason, in Websense, the user responsable for generating this traffic is the service account used for ALE. If ALE is not running then the traffic generated will be attributed to logged on user, if ALE is running then the service account will be the one attributed for generating the traffic.

#7 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 24 September 2014 - 01:12 PM

Wedefelt,

I'm not sure. How does websense attribute users to network traffic?

-Jeff

#8 wedefelt

wedefelt

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 25 September 2014 - 06:57 AM

Hi Jeff,

Good question. I don't know. I have asked this question to my colleague and he is a bit uncertain but will look into this. Anyway we have added the service account to the following GPO settings to see if there were any changes in Websense,

Added serviceaccount to,

- Computer Configuration\Windows Settings\Security Settings\Local Policies\User rights assignment\deny log on locally

and to

- Computer Configuration\Windows Settings\Security Settings\Local Policies\User rights assignment\Log on as a service

Unfortunately Websense still thimks that the service account is out surfing the web....

I'll see if I can get some information from my colleague in regards to how Websense tracks the user traffic...

TIA

Anderz




0 user(s) are reading this topic

0 members, guests, anonymous users