Windows Security Logging and Other Esoterica
thoughts from the Windows auditing team
Browse by Tags
All Tags
»
Descriptions
(RSS)
HowTo
Previews
Tips
Tools
Windows Server 2008 Security Events Posted
16 April 08 11:09 PM
|
Eric Fitzgerald
|
1 Comments
Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference. Check it out in the Knowledge Base . Even better, they documented all the events in spreadsheet format, and that's
Read More...
You learn something new every day- Logon Type 0
26 February 08 12:49 PM
|
Eric Fitzgerald
|
1 Comments
Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event ( 528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field
Read More...
I always wondered who Björn was...
17 January 08 02:47 PM
|
Eric Fitzgerald
|
1 Comments
OK here's something I just remembered today. I may be the last person who remembers this so it's important that I record this somewhere. In the RTM bits of Windows NT 4.0, for the German language release only, someone snuck in a string resource into the
Read More...
Why does Windows XP generate so many logon failure events?
09 November 07 03:23 PM
|
Eric Fitzgerald
|
3 Comments
I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design. (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no
Read More...
List of Windows Server 2003 Events
12 October 07 11:45 AM
|
Eric Fitzgerald
|
1 Comments
So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events
Read More...
Documentation on the Windows Vista and Windows Server 2008 Security Events
31 July 07 02:36 PM
|
Eric Fitzgerald
|
2 Comments
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success
Read More...
The Trouble With Logoff Events
08 May 07 01:37 PM
|
Eric Fitzgerald
|
1 Comments
A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense
Read More...
How are object access events generated?
26 October 06 10:21 AM
|
Eric Fitzgerald
|
2 Comments
I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There are 7 events associated with object access auditing in Windows: 560 is the "open handle" event. It is logged when an app asks for access to an object (via
Read More...
Quick Overview of Object Access Auditing in Windows
07 March 06 02:16 PM
|
Eric Fitzgerald
|
1 Comments
A lot of people are unhappy with object access auditing on Windows, because what they want to know is "who touched the object and what did that person do", but what Windows auditing tells you is actually "who touched the object and what did they ask for
Read More...
Privilege Use- what do we audit, and when?
05 December 05 04:06 PM
|
Eric Fitzgerald
|
0 Comments
Odd thing today- I got two questions about the obscure " FullPrivilegeAuditing " registry setting- so I thought I'd post my answer. Some of this is not new, I posted on the Windows Server 2003 SP1 changes to auditing a while back. Events ID 577 and 578
Read More...
Deciphering Account Logon Events
04 August 05 06:03 PM
|
Eric Fitzgerald
|
7 Comments
One of the most common questions that I get about Windows Auditing is, how come you guys were so @#%! stupid that you put in two logon categories? The answer is actually pretty simple- we're bad at choosing names. "Account Logon" isn't really about logon,
Read More...
Events 528 and 540
09 December 04 05:59 PM
|
Eric Fitzgerald
|
4 Comments
Logon events. Event 528 and Event 540 are the Logon events. Event 528 is for all logons except "network" logons. "Network" logons are SMB/Microsoft-DS logons (i.e. connecting to a share). RDP, IIS, FTP logons, etc., are event 528 even though credentials
Read More...
Search
Go
This Blog
Home
Email
Tags
ACS
Descriptions
HowTo
Laws
News
Previews
Privacy
Rants
SEM
Tips
Tools
Archives
April 2008 (2)
March 2008 (1)
February 2008 (3)
January 2008 (1)
November 2007 (1)
October 2007 (2)
August 2007 (5)
July 2007 (3)
June 2007 (2)
May 2007 (3)
April 2007 (1)
February 2007 (3)
October 2006 (1)
September 2006 (2)
August 2006 (2)
June 2006 (1)
May 2006 (2)
March 2006 (3)
December 2005 (6)
November 2005 (2)
September 2005 (3)
August 2005 (11)
January 2005 (1)
December 2004 (2)
October 2004 (1)
Syndication
RSS 2.0
Atom 1.0