Windows Security Logging and Other Esoterica
thoughts from the Windows auditing team
Browse by Tags
All Tags
»
HowTo
(RSS)
ACS
Descriptions
Previews
SEM
Tips
Tools
Ned on Auditing
19 April 08 08:14 PM
|
Eric Fitzgerald
|
1 Comments
I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point
Read More...
ACS Event Transformation Demystified
27 February 08 05:43 PM
|
Eric Fitzgerald
|
1 Comments
I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS. Transformation is performed on the agent
Read More...
Documentation on the Windows Vista and Windows Server 2008 Security Events
31 July 07 02:36 PM
|
Eric Fitzgerald
|
2 Comments
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success
Read More...
The Trouble With Logoff Events
08 May 07 01:37 PM
|
Eric Fitzgerald
|
1 Comments
A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense
Read More...
Auditing the Creation of Domain Controllers
03 May 07 11:36 AM
|
Eric Fitzgerald
|
0 Comments
Special thanks to Raman in the Active Directory team for this one. Ever want to audit the creation of new domain controllers in your environment? Yeah, me neither :-) However if you ever want to, here's how. 1. The default SACL on Active Directory should
Read More...
Determining Whether a User Logged on Using A Smart Card
05 February 07 04:40 PM
|
Eric Fitzgerald
|
0 Comments
I get asked the question pretty regularly how to determine from the security log whether a user logged on using a smart card or not. The short answer is, you can't be absolutely certain. The longer answer is, well, you can be pretty certain for the time
Read More...
How are object access events generated?
26 October 06 10:21 AM
|
Eric Fitzgerald
|
2 Comments
I wrote this as an answer for Tom, who emailed me, but I thought I'd share it with everyone. There are 7 events associated with object access auditing in Windows: 560 is the "open handle" event. It is logged when an app asks for access to an object (via
Read More...
Quick Overview of Object Access Auditing in Windows
07 March 06 02:16 PM
|
Eric Fitzgerald
|
1 Comments
A lot of people are unhappy with object access auditing on Windows, because what they want to know is "who touched the object and what did that person do", but what Windows auditing tells you is actually "who touched the object and what did they ask for
Read More...
Setting SACLs on Services
09 December 05 09:46 AM
|
Eric Fitzgerald
|
0 Comments
Have you ever wanted a record of admin activity regarding service management? For example, who stopped one of your services? Did you know that you can do this through auditing? It's actually really easy. The "Security Templates" MMC snap-in allows you
Read More...
Multiple Events for Successful Account Creation
29 August 05 04:49 PM
|
Eric Fitzgerald
|
0 Comments
Here is the pattern you should expect to see when creating a local account. For domain accounts, you may also see some DS Access events as the account is created and the various properties are set. 560 SAM_DOMAIN handle open for CreateUser access 632
Read More...
Monitoring Active Directory Schema Changes
08 August 05 03:25 PM
|
Eric Fitzgerald
|
1 Comments
As a follow-on to my last post, I want to relate how to monitor for Active Directory schema changes. First you need to put SACLs on the schema. Remember to replace any existing SACLs, disable propagaion of the SACL from the parent, and force propagation
Read More...
Monitoring Group Policy Changes with Windows Auditing
04 August 05 06:39 PM
|
Eric Fitzgerald
|
5 Comments
I spent some time a while back analyzing logs, figuring out what you can do with group policy auditing on Windows Server 2003. I did not test Windows 2000; I suspect that much of this applies but YMMV. GP editing does leave an auditable trail of directory
Read More...
Search
Go
This Blog
Home
Email
Tags
ACS
Descriptions
HowTo
Laws
News
Previews
Privacy
Rants
SEM
Tips
Tools
Archives
April 2008 (2)
March 2008 (1)
February 2008 (3)
January 2008 (1)
November 2007 (1)
October 2007 (2)
August 2007 (5)
July 2007 (3)
June 2007 (2)
May 2007 (3)
April 2007 (1)
February 2007 (3)
October 2006 (1)
September 2006 (2)
August 2006 (2)
June 2006 (1)
May 2006 (2)
March 2006 (3)
December 2005 (6)
November 2005 (2)
September 2005 (3)
August 2005 (11)
January 2005 (1)
December 2004 (2)
October 2004 (1)
Syndication
RSS 2.0
Atom 1.0
