Welcome to MSDN Blogs Sign in | Join | Help

August 2005 - Posts

Multiple Events for Successful Account Creation

Here is the pattern you should expect to see when creating a local account. For domain accounts, you may also see some DS Access events as the account is created and the various properties are set. 560 SAM_DOMAIN handle open for CreateUser access 632 Read More...
Posted Monday, August 29, 2005 4:49 PM by Eric Fitzgerald | 1 Comments
Filed under:

Multiple Events for Failed Account Creation

When you create a local user account on Windows, and you have enabled account management auditing, you will see multiple events that map into this single occurrence. I was actually going to file a change request on this, but I'm not sure that that is Read More...
Posted Monday, August 29, 2005 4:07 PM by Eric Fitzgerald | 1 Comments
Filed under:

Logs and the Rules of Evidence

I quite frequently hear these questions: 1. My logs/log collection database aren't digitally signed, can I still use them in court? 2. My logs are in a text file that an admin can write to, can I still use them in court? Our legal department would not Read More...
Posted Thursday, August 25, 2005 11:02 AM by Eric Fitzgerald | 1 Comments
Filed under:

Delegating Access to the Security Log

I often get the question, how do I allow a group of auditors read access to my security logs without making them admins and without letting them clear the logs? To answer this, first you need to know, for what version of Windows? Prior to Windows Server Read More...
Posted Wednesday, August 24, 2005 11:08 AM by Eric Fitzgerald | 1 Comments
Filed under:

COMMENT MY BLOG, PLEASE!

If you have auditing questions (as opposed to general security questions), please feel free to comment my blog or send me email. I read it all and respond (eventually), and I love to post on new topics. I just want to make sure that this is useful stuff. Read More...
Posted Wednesday, August 24, 2005 11:06 AM by Eric Fitzgerald | 1 Comments

Another culprit causes too many object access events.

I encountered this in the course of investigating another report of "too many object access events". Evidently Exchange 2000 Server can cause a large number of handle close events with no corresponding handle open events. The KB article explains how to Read More...
Posted Thursday, August 18, 2005 10:17 AM by Eric Fitzgerald | 1 Comments
Filed under:

A Voice of Sanity from SANS

I was reading SANS NewsBites , a weekly email newsletter describing significant news around information security. I came across this article summary about a "security researcher" who got a light jail sentence after hacking into several organizations' Read More...
Posted Friday, August 12, 2005 2:19 PM by Eric Fitzgerald | 0 Comments

Why don't I see the workstation name in logon events?

Top reasons: 1. In NTLM logons, it's subject to spoofing. There exist hacking tools which improperly populate the workstation field of the logon request. I don't know if this is intentional or not. 2. There is no way to carry this information in LDAP Read More...
Posted Tuesday, August 09, 2005 1:19 PM by Eric Fitzgerald | 0 Comments
Filed under: ,

Monitoring Active Directory Schema Changes

As a follow-on to my last post, I want to relate how to monitor for Active Directory schema changes. First you need to put SACLs on the schema. Remember to replace any existing SACLs, disable propagaion of the SACL from the parent, and force propagation Read More...
Posted Monday, August 08, 2005 3:25 PM by Eric Fitzgerald | 1 Comments
Filed under:

Monitoring Group Policy Changes with Windows Auditing

I spent some time a while back analyzing logs, figuring out what you can do with group policy auditing on Windows Server 2003. I did not test Windows 2000; I suspect that much of this applies but YMMV. GP editing does leave an auditable trail of directory Read More...
Posted Thursday, August 04, 2005 6:39 PM by Eric Fitzgerald | 3 Comments
Filed under:

Deciphering Account Logon Events

One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories? The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, Read More...
Posted Thursday, August 04, 2005 6:03 PM by Eric Fitzgerald | 6 Comments
Filed under:
 
Page view tracker