Windows Security Logging and Other Esoterica
thoughts from the Windows auditing team
Browse by Tags
All Tags
»
Tips
(RSS)
Descriptions
HowTo
News
Tools
Ned on Auditing
19 April 08 08:14 PM
|
Eric Fitzgerald
|
1 Comments
I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point
Read More...
You learn something new every day- Logon Type 0
26 February 08 12:49 PM
|
Eric Fitzgerald
|
1 Comments
Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event ( 528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field
Read More...
Why does Windows XP generate so many logon failure events?
09 November 07 03:23 PM
|
Eric Fitzgerald
|
3 Comments
I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design. (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no
Read More...
List of Windows Server 2003 Events
12 October 07 11:45 AM
|
Eric Fitzgerald
|
1 Comments
So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events
Read More...
Help! Someone has deleted events from my Windows event log!
10 August 07 03:59 PM
|
Eric Fitzgerald
|
1 Comments
From time to time I hear this, and it usually turns out not to be the case. I'll begin with a little background. First, The eventlog service does not have (and never did have) any public or private API to delete individual events- there is a log clear
Read More...
Documentation on the Windows Vista and Windows Server 2008 Security Events
31 July 07 02:36 PM
|
Eric Fitzgerald
|
2 Comments
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success
Read More...
The Trouble With Logoff Events
08 May 07 01:37 PM
|
Eric Fitzgerald
|
1 Comments
A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense
Read More...
Enumerating Stuff in AD when all you see is GUIDs in Audit Records
03 May 07 01:19 PM
|
Eric Fitzgerald
|
0 Comments
A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is that? Well, we only translate one kind of AD guid, the objectGUID. However AD uses GUIDs in several ways. For instance, group policy objects have a common
Read More...
Where do I get my information on Windows auditing?
06 February 07 02:12 PM
|
Eric Fitzgerald
|
1 Comments
You might want to know where I go to get my information on audit events and so forth. Mostly I go to the source code or one of our developers. For continuity-of-employment reasons I won't be posting a link to that here ;-) We have some old specs and some
Read More...
Determining Whether a User Logged on Using A Smart Card
05 February 07 04:40 PM
|
Eric Fitzgerald
|
0 Comments
I get asked the question pretty regularly how to determine from the security log whether a user logged on using a smart card or not. The short answer is, you can't be absolutely certain. The longer answer is, well, you can be pretty certain for the time
Read More...
Trustworthiness of Information in Audit Records
20 September 06 10:57 AM
|
Eric Fitzgerald
|
1 Comments
I get asked quite often "why is the Workstation name missing from some events?" I've explained that elsewhere . But this raises another issue that many of you might not have considered, and I want to take a few minutes to explain. The Windows Security
Read More...
A good 3rd-party reference to the Windows security event log
20 March 06 11:31 AM
|
Eric Fitzgerald
|
1 Comments
Randy Franklin Smith has a site with a very good reference to security event log events. Randy also does training on Windows security log analysis.
Read More...
What the heck are "Primary User" and "Client User"?
16 December 05 10:01 AM
|
Eric Fitzgerald
|
1 Comments
Windows has a feature called "impersonation", by which a process running as one user account can assume, on a single thread, the identity of another logged-on user account, for purposes of performing some action on behalf of the second account. This makes
Read More...
How does Windows Audit meet Common Criteria compliance standards?
30 November 05 05:44 PM
|
Eric Fitzgerald
|
1 Comments
Actually most of our auditing work in Windows has historically been done in order to meet ITSec C2 , and later Common Criteria EAL4 requirements. I just stumbled on this document, which describes the requirements and what we audit to meet the requirements.
Read More...
Preventing Log Evasion in IIS
20 September 05 05:19 PM
|
Eric Fitzgerald
|
1 Comments
Evidently it's possible to craft an IIS request that will cause IIS not to log request detail. Here is a link to an article which describes the problem, and how to work around it. This is non-Microsoft content, so YMMV.
Read More...
More Posts
Next page »
Search
Go
This Blog
Home
Email
Tags
ACS
Descriptions
HowTo
Laws
News
Previews
Privacy
Rants
SEM
Tips
Tools
Archives
April 2008 (2)
March 2008 (1)
February 2008 (3)
January 2008 (1)
November 2007 (1)
October 2007 (2)
August 2007 (5)
July 2007 (3)
June 2007 (2)
May 2007 (3)
April 2007 (1)
February 2007 (3)
October 2006 (1)
September 2006 (2)
August 2006 (2)
June 2006 (1)
May 2006 (2)
March 2006 (3)
December 2005 (6)
November 2005 (2)
September 2005 (3)
August 2005 (11)
January 2005 (1)
December 2004 (2)
October 2004 (1)
Syndication
RSS 2.0
Atom 1.0