Windows Security Logging and Other Esoterica - All Comments

re: Tracking User Logon Activity Using Logon Events

Adam — Mon, 13 Feb 2012 16:31:37 GMT

Eric, thanks for this information. I want to track MY OWN time without messing with some tray software, so this is very helpful information. In fact, your warnings help me make sure I don't *accidentially* circumvent my own logging.

re: Auditing Changes to Audit Policy

c3158 — Thu, 10 Nov 2011 22:38:56 GMT

Spoke with premier support today and received the fix. This issue arises b/c there is an audit .csv file in the following location which needs to be deleted for the machine to receive the group policy again. Delete the file and to a gpupdate /force and that should do it.

c:\windows\system32\GroupPolicy\Machine\Microsoft\WindowsNT\Audit\audit.csv

Contains :

Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value

re: Off Topic: Unicode Right-to-Left Override character used by malware

dblanchard — Thu, 15 Sep 2011 06:13:23 GMT

It took me a while to get this to work. Any good e-mail filter should catch

them still, but this would be useful for hosted files, and possibly

files inside archived directories.

Here are some (Win) methods for inserting Unicode characters into text:

www.fileformat.info/.../enter_unicode.htm, to input

The codes for RLO are 202E (hex) and 8238 (dec) and for LRO they are 202D (hex) and 8237 (dec).

I've made a copy of cmd.exe on my Win 7 (64 bit) desktop, renamed it

as "This is my cod.exe" and pasted the override character just before

the "c" in "cod" so that it is rendered as "This is my exe.doc" (a

working string is below for you to copy/paste). The icon still showed

as a command-line executable on my desktop so if I were compiling my

own exe, I'd be sure to make it appear as a Word 2003 doc.

Here is the working string, the RLO character seems to be just after

the 'c' i.e. at the end of the line, but is actually just before the

'c' in the middle of the string:

This is my ‮cod.exe

re: Auditing Changes to Audit Policy

Eric Fitzgerald — Sun, 04 Sep 2011 22:55:49 GMT

I'm sorry you don't think that 4719 tells you anything worthwhile. In fact it records who changed an audit policy setting, what setting was changed, and what it was changed to. So, for instance, if you're worried about administrators trying to cover their tracks by turning off audit policy, this would be something to look at.

Domain controllers apply policy every 5 minutes. So evidently you are applying advanced audit policy on your domain controllers OU.

If you don't care about this event, then turn off "Audit changes to audit policy" under the "Policy Change" category for your DC's, and you'll suppress these events.

re: Auditing Changes to Audit Policy

non-stop 4719 — Fri, 02 Sep 2011 22:33:16 GMT

on the domain controllers in my system each is getting 4719 90 times every 5 minutes..it's bad enough that 4719 tells me absolutely nothing worthwhile, worse yet that I can't turn this garbage off - which fills my security log to the point that I can't see actual important sec log events....

re: An interesting logging regulation that doesn't apply to Windows event logs...

SteveO — Wed, 27 Jul 2011 02:24:23 GMT

See: "Data- Driven"; Scientific American, 01/12/2004.

re: An interesting logging regulation that doesn't apply to Windows event logs...

SteveO — Tue, 26 Jul 2011 14:27:52 GMT

Neat post.

re: Monitoring Group Policy Changes with Windows Auditing

Eric Fitzgerald — Wed, 08 Jun 2011 16:33:04 GMT

Microsoft does offer a solution for GP auditing, called "Advanced Group Policy Management", part of the Microsoft Desktop Optmization Pack (MDOP): www.microsoft.com/.../agpm.aspx

You might already have a license for this depending on how you purchase licenses.

re: Tracking User Logon Activity Using Logon Events

Eric Fitzgerald — Fri, 03 Jun 2011 17:21:54 GMT

Hi Mike,

I'm not sure what you're trying to say here. It's obvious you took offense at something, but I don't know what that is.

There's no way to reliably perform this task, and it's often undertaken in the context of some sort of investigatory action against a user, therefore I don't recommend it. There is a significant potential for misinterpretation, and therefore the possibility of coming to an incorrect conclusion about a user's behavior.

I bothered posting at all because I know that there are many people who are asked to do this, so I explained how to do it as reliably as is possible.

You're free to take my advice or ignore it. It's up to you.

Best regards,

Eric

re: Tracking User Logon Activity Using Logon Events

Mike — Fri, 03 Jun 2011 13:23:49 GMT

For a company, screen lock, not screensaver is fairly common. Ours is set to 15 minutes due to our interpretation of FIPS140-2 for HIPAA/HITECH. For remote workers, it is very nice to be able to see how often a user is logged in. You can't possibly know what everyone in the world does for a job. They may not have tasks that churn on their computer. They may not have a screensaver at all, just a screen lock. They may use IE all day long for cloud based work. You presume too much based on your own experience. Thanks for the help, just don't hit me over the head with a club and call me stupid for doing my job.