August 2005 - Posts

Multiple Events for Successful Account Creation
29 August 05 04:49 PM | Eric Fitzgerald | 0 Comments   
Here is the pattern you should expect to see when creating a local account. For domain accounts, you may also see some DS Access events as the account is created and the various properties are set. 560 SAM_DOMAIN handle open for CreateUser access 632 Read More...
Filed under:
Multiple Events for Failed Account Creation
29 August 05 04:07 PM | Eric Fitzgerald | 1 Comments   
When you create a local user account on Windows, and you have enabled account management auditing, you will see multiple events that map into this single occurrence. I was actually going to file a change request on this, but I'm not sure that that is Read More...
Filed under:
Logs and the Rules of Evidence
25 August 05 11:02 AM | Eric Fitzgerald | 1 Comments   
I quite frequently hear these questions: 1. My logs/log collection database aren't digitally signed, can I still use them in court? 2. My logs are in a text file that an admin can write to, can I still use them in court? Our legal department would not Read More...
Filed under:
Delegating Access to the Security Log
24 August 05 11:08 AM | Eric Fitzgerald | 1 Comments   
I often get the question, how do I allow a group of auditors read access to my security logs without making them admins and without letting them clear the logs? To answer this, first you need to know, for what version of Windows? Prior to Windows Server Read More...
Filed under:
COMMENT MY BLOG, PLEASE!
24 August 05 11:06 AM | Eric Fitzgerald | 1 Comments   
If you have auditing questions (as opposed to general security questions), please feel free to comment my blog or send me email. I read it all and respond (eventually), and I love to post on new topics. I just want to make sure that this is useful stuff. Read More...
Another culprit causes too many object access events.
18 August 05 10:17 AM | Eric Fitzgerald | 1 Comments   
I encountered this in the course of investigating another report of "too many object access events". Evidently Exchange 2000 Server can cause a large number of handle close events with no corresponding handle open events. The KB article explains how to Read More...
Filed under:
A Voice of Sanity from SANS
12 August 05 02:19 PM | Eric Fitzgerald | 0 Comments   
I was reading SANS NewsBites , a weekly email newsletter describing significant news around information security. I came across this article summary about a "security researcher" who got a light jail sentence after hacking into several organizations' Read More...
Why don't I see the workstation name in logon events?
09 August 05 01:19 PM | Eric Fitzgerald | 1 Comments   
Top reasons: 1. In NTLM logons, it's subject to spoofing. There exist hacking tools which improperly populate the workstation field of the logon request. I don't know if this is intentional or not. 2. There is no way to carry this information in LDAP Read More...
Filed under:
Monitoring Active Directory Schema Changes
08 August 05 03:25 PM | Eric Fitzgerald | 1 Comments   
As a follow-on to my last post, I want to relate how to monitor for Active Directory schema changes. First you need to put SACLs on the schema. Remember to replace any existing SACLs, disable propagaion of the SACL from the parent, and force propagation Read More...
Filed under:
Monitoring Group Policy Changes with Windows Auditing
04 August 05 06:39 PM | Eric Fitzgerald | 5 Comments   
I spent some time a while back analyzing logs, figuring out what you can do with group policy auditing on Windows Server 2003. I did not test Windows 2000; I suspect that much of this applies but YMMV. GP editing does leave an auditable trail of directory Read More...
Filed under:
Deciphering Account Logon Events
04 August 05 06:03 PM | Eric Fitzgerald | 7 Comments   
One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories? The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon, Read More...
Filed under:
Page view tracker