Windows Security Logging and Other Esoterica

I've written before on noise reduction in the Windows security event log. I've also written to describe how object access auditing works . But, I still get questions on how to reduce noise from object access events. The other day I got that question, Read More...

I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable . It works Read More...

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point Read More...

I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success Read More...

A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense Read More...

I get asked the question pretty regularly how to determine from the security log whether a user logged on using a smart card or not. The short answer is, you can't be absolutely certain. The longer answer is, well, you can be pretty certain for the time Read More...