Here is the pattern you should expect to see when creating a local account. For domain accounts, you may also see some DS Access events as the account is created and the various properties are set. 560 SAM_DOMAIN handle open for CreateUser access 632...

When you create a local user account on Windows, and you have enabled account management auditing, you will see multiple events that map into this single occurrence. I was actually going to file a change request on this, but I'm not sure that that is...

I quite frequently hear these questions: 1. My logs/log collection database aren't digitally signed, can I still use them in court? 2. My logs are in a text file that an admin can write to, can I still use them in court? Our legal department...

I often get the question, how do I allow a group of auditors read access to my security logs without making them admins and without letting them clear the logs? To answer this, first you need to know, for what version of Windows? Prior to Windows Server...

If you have auditing questions (as opposed to general security questions), please feel free to comment my blog or send me email. I read it all and respond (eventually), and I love to post on new topics. I just want to make sure that this is useful stuff...

I encountered this in the course of investigating another report of "too many object access events". Evidently Exchange 2000 Server can cause a large number of handle close events with no corresponding handle open events. The KB article explains how to...

I was reading SANS NewsBites , a weekly email newsletter describing significant news around information security. I came across this article summary about a "security researcher" who got a light jail sentence after hacking into several organizations'...

Top reasons: 1. In NTLM logons, it's subject to spoofing. There exist hacking tools which improperly populate the workstation field of the logon request. I don't know if this is intentional or not. 2. There is no way to carry this information in...

As a follow-on to my last post, I want to relate how to monitor for Active Directory schema changes. First you need to put SACLs on the schema. Remember to replace any existing SACLs, disable propagaion of the SACL from the parent, and force propagation...

I spent some time a while back analyzing logs, figuring out what you can do with group policy auditing on Windows Server 2003. I did not test Windows 2000; I suspect that much of this applies but YMMV. GP editing does leave an auditable trail of directory...

One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories? The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about...