Browse by Tags

All Tags » Descriptions » HowTo   (RSS)
Documentation on the Windows Vista and Windows Server 2008 Security Events
31 July 07 02:36 PM | Eric Fitzgerald | 2 Comments   
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success Read More...
Filed under: , , ,
The Trouble With Logoff Events
08 May 07 01:37 PM | Eric Fitzgerald | 1 Comments   
A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense Read More...
Filed under: , ,
How are object access events generated?
26 October 06 10:21 AM | Eric Fitzgerald | 2 Comments   
I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There are 7 events associated with object access auditing in Windows: 560 is the "open handle" event. It is logged when an app asks for access to an object (via Read More...
Filed under: ,
Quick Overview of Object Access Auditing in Windows
07 March 06 02:16 PM | Eric Fitzgerald | 1 Comments   
A lot of people are unhappy with object access auditing on Windows, because what they want to know is "who touched the object and what did that person do", but what Windows auditing tells you is actually "who touched the object and what did they ask for Read More...
Filed under: , ,
Page view tracker