Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Browse by Tags

Tagged Content List
  • Blog Post: Decoding UAC Flags Values in events 4720, 4738, 4741, and 4742

    In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events that contain a user account control (UAC) flags value: 4720 - user account creation 4738 - user account change 4741 - computer account creation 4742 - computer account change This...
  • Blog Post: Auditing Changes to Audit Policy

    Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into exactly what our behavior is for auditing audit policy and I wanted to share that with you. In Windows, we've always had auditing for changes to security policy. Audit policy has always been one aspect...
  • Blog Post: Minimizing Directory Service Audit Event Noise

    I've written before on noise reduction in the Windows security event log. I've also written to describe how object access auditing works . But, I still get questions on how to reduce noise from object access events. The other day I got that question, specific to Directory Service objects, on an internal...
  • Blog Post: Tracking User Logon Activity Using Logon Events

    I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable . It works in trivial cases (e.g. single machine where the...
  • Blog Post: WEvtUtil Scripting

    If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you're missing out. The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn't suffer from any of the drawbacks around getting field delimiting correct. The...
  • Blog Post: Ned on Auditing

    I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point you guys there. His recent posts on auditing include...
  • Blog Post: ACS Event Transformation Demystified

    I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS. Transformation is performed on the agent (using instructions provided at connect...
  • Blog Post: Documentation on the Windows Vista and Windows Server 2008 Security Events

    I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success events [528, 540] and 10 failure events [529-537...
  • Blog Post: The Trouble With Logoff Events

    A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense they are deterministic. However like many...
  • Blog Post: Auditing the Creation of Domain Controllers

    Special thanks to Raman in the Active Directory team for this one. Ever want to audit the creation of new domain controllers in your environment? Yeah, me neither :-) However if you ever want to, here's how. 1. The default SACL on Active Directory should suffice. However, if you have changed the...
  • Blog Post: Determining Whether a User Logged on Using A Smart Card

    I get asked the question pretty regularly how to determine from the security log whether a user logged on using a smart card or not. The short answer is, you can't be absolutely certain. The longer answer is, well, you can be pretty certain for the time being, especially if you're not running any...
  • Blog Post: How are object access events generated?

    I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There are 7 events associated with object access auditing in Windows: 560 is the "open handle" event. It is logged when an app asks for access to an object (via a call like CreateFile). An access...
  • Blog Post: Quick Overview of Object Access Auditing in Windows

    A lot of people are unhappy with object access auditing on Windows, because what they want to know is "who touched the object and what did that person do", but what Windows auditing tells you is actually "who touched the object and what did they ask for permission to do". The distinction is subtle, but...
  • Blog Post: Default ACLs on Windows Event Logs

    A question I get asked frequently: what are the default ACLs on Windows event logs? Here's the answer, straight from the source code with only a little formatting help from me, and in more detail than you probably care to know. Windows 2000: Application Event Log and custom event...
  • Blog Post: Setting SACLs on Services

    Have you ever wanted a record of admin activity regarding service management? For example, who stopped one of your services? Did you know that you can do this through auditing? It's actually really easy. The "Security Templates" MMC snap-in allows you to author security templates which will set...
  • Blog Post: Multiple Events for Successful Account Creation

    Here is the pattern you should expect to see when creating a local account. For domain accounts, you may also see some DS Access events as the account is created and the various properties are set. 560 SAM_DOMAIN handle open for CreateUser access 632 Add user to global group "None" <--- see previous...
  • Blog Post: Monitoring Active Directory Schema Changes

    As a follow-on to my last post, I want to relate how to monitor for Active Directory schema changes. First you need to put SACLs on the schema. Remember to replace any existing SACLs, disable propagaion of the SACL from the parent, and force propagation to the subtree. Using ADSI Edit, create...
  • Blog Post: Monitoring Group Policy Changes with Windows Auditing

    I spent some time a while back analyzing logs, figuring out what you can do with group policy auditing on Windows Server 2003. I did not test Windows 2000; I suspect that much of this applies but YMMV. GP editing does leave an auditable trail of directory accesses and file accesses. Here is how to...
Page 1 of 1 (18 items)