Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

All Tags » Descriptions » HowTo   (RSS)

Documentation on the Windows Vista and Windows Server 2008 Security Events

I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success Read More...
Posted Tuesday, July 31, 2007 2:36 PM by Eric Fitzgerald | 2 Comments
Filed under: , , ,

The Trouble With Logoff Events

A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense Read More...
Posted Tuesday, May 08, 2007 1:37 PM by Eric Fitzgerald | 2 Comments
Filed under: , ,

How are object access events generated?

I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There are 7 events associated with object access auditing in Windows: 560 is the "open handle" event. It is logged when an app asks for access to an object (via Read More...
Posted Thursday, October 26, 2006 10:21 AM by Eric Fitzgerald | 3 Comments
Filed under: ,

Quick Overview of Object Access Auditing in Windows

A lot of people are unhappy with object access auditing on Windows, because what they want to know is "who touched the object and what did that person do", but what Windows auditing tells you is actually "who touched the object and what did they ask for Read More...
Posted Tuesday, March 07, 2006 2:16 PM by Eric Fitzgerald | 2 Comments
Filed under: , ,
 
Page view tracker