Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Browse by Tags

Tagged Content List
  • Blog Post: Auditing Changes to Audit Policy

    Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into exactly what our behavior is for auditing audit policy and I wanted to share that with you. In Windows, we've always had auditing for changes to security policy. Audit policy has always been one aspect...
  • Blog Post: XPath to generate a list of NTLM authentications on Windows Vista or Later

    Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry about that. I am working on a different project now but I am still in close touch with the auditing team and I'll try to do better. Anyway a question that I hear regularly is, "how do I find all the...
  • Blog Post: Auditing system impact on performance

    UPDATE 2010-06-06 (EricF) - Fixed Vista+ architecture image; link was broken on migration to new blog platform I get questions from time to time, such as my recent offline question from Steve, about what performance impact auditing has on the system as a whole. To answer this you need to understand...
  • Blog Post: Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

    I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03...
  • Blog Post: Minimizing Directory Service Audit Event Noise

    I've written before on noise reduction in the Windows security event log. I've also written to describe how object access auditing works . But, I still get questions on how to reduce noise from object access events. The other day I got that question, specific to Directory Service objects, on an internal...
  • Blog Post: Tracking User Logon Activity Using Logon Events

    I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable . It works in trivial cases (e.g. single machine where the...
  • Blog Post: Ned on Auditing

    I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point you guys there. His recent posts on auditing include...
  • Blog Post: You learn something new every day- Logon Type 0

    Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event ( 528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field called a Logon Type. This is a code that is passed...
  • Blog Post: Why does Windows XP generate so many logon failure events?

    I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design. (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no "tell me if this user account has a blank...
  • Blog Post: List of Windows Server 2003 Events

    So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events are not schematized until Windows Vista; or put...
  • Blog Post: Help! Someone has deleted events from my Windows event log!

    From time to time I hear this, and it usually turns out not to be the case. I'll begin with a little background. First, The eventlog service does not have (and never did have) any public or private API to delete individual events- there is a log clear API but nothing else. The eventlog team thought...
  • Blog Post: Documentation on the Windows Vista and Windows Server 2008 Security Events

    I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success events [528, 540] and 10 failure events [529-537...
  • Blog Post: The Trouble With Logoff Events

    A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense they are deterministic. However like many...
  • Blog Post: Enumerating Stuff in AD when all you see is GUIDs in Audit Records

    A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is that? Well, the Event Viewer in Windows only translate one kind of AD guid, the objectGUID. However AD uses GUIDs in several ways. For instance, group policy objects have a common name (CN) which is a...
  • Blog Post: Where do I get my information on Windows auditing?

    You might want to know where I go to get my information on audit events and so forth. Mostly I go to the source code or one of our developers. For continuity-of-employment reasons I won't be posting a link to that here ;-) We have some old specs and some new specs but sometimes the code doesn't function...
  • Blog Post: Determining Whether a User Logged on Using A Smart Card

    I get asked the question pretty regularly how to determine from the security log whether a user logged on using a smart card or not. The short answer is, you can't be absolutely certain. The longer answer is, well, you can be pretty certain for the time being, especially if you're not running any...
  • Blog Post: Trustworthiness of Information in Audit Records

    I get asked quite often "why is the Workstation name missing from some events?" I've explained that elsewhere . But this raises another issue that many of you might not have considered, and I want to take a few minutes to explain. The Windows Security event log is designed to be as trustworthy as...
  • Blog Post: A good 3rd-party reference to the Windows security event log

    Randy Franklin Smith has a site with a very good reference to security event log events. Randy also does training on Windows security log analysis.
  • Blog Post: Default ACLs on Windows Event Logs

    A question I get asked frequently: what are the default ACLs on Windows event logs? Here's the answer, straight from the source code with only a little formatting help from me, and in more detail than you probably care to know. Windows 2000: Application Event Log and custom event...
  • Blog Post: What the heck are "Primary User" and "Client User"?

    Windows has a feature called "impersonation", by which a process running as one user account can assume, on a single thread, the identity of another logged-on user account, for purposes of performing some action on behalf of the second account. This makes sure that we get access control right. ...
  • Blog Post: How does Windows Audit meet Common Criteria compliance standards?

    Actually most of our auditing work in Windows has historically been done in order to meet ITSec C2 , and later Common Criteria EAL4 requirements. I just stumbled on this document, which describes the requirements and what we audit to meet the requirements. Of course, starting in Windows Server...
  • Blog Post: Preventing Log Evasion in IIS

    Evidently it's possible to craft an IIS request that will cause IIS not to log request detail. Here is a link to an article which describes the problem, and how to work around it. This is non-Microsoft content, so YMMV.
  • Blog Post: Multiple Events for Failed Account Creation

    When you create a local user account on Windows, and you have enabled account management auditing, you will see multiple events that map into this single occurrence. I was actually going to file a change request on this, but I'm not sure that that is the right thing to do. Here's why. The event pattern...
  • Blog Post: Logs and the Rules of Evidence

    I quite frequently hear these questions: 1. My logs/log collection database aren't digitally signed, can I still use them in court? 2. My logs are in a text file that an admin can write to, can I still use them in court? Our legal department would not like it if I gave legal advice, so I'm just...
  • Blog Post: Delegating Access to the Security Log

    I often get the question, how do I allow a group of auditors read access to my security logs without making them admins and without letting them clear the logs? To answer this, first you need to know, for what version of Windows? Prior to Windows Server 2003, there was only one access control mechanism...
Page 1 of 2 (29 items) 12