Browse by Tags

Ned on Auditing
19 April 08 08:14 PM | Eric Fitzgerald | 1 Comments   
I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point Read More...
Filed under: ,
You learn something new every day- Logon Type 0
26 February 08 12:49 PM | Eric Fitzgerald | 1 Comments   
Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event ( 528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field Read More...
Filed under: ,
Why does Windows XP generate so many logon failure events?
09 November 07 03:23 PM | Eric Fitzgerald | 3 Comments   
I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design. (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no Read More...
Filed under: ,
List of Windows Server 2003 Events
12 October 07 11:45 AM | Eric Fitzgerald | 1 Comments   
So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published " Security Event Descriptions ". This article was the "schema" so to speak, for the Windows NT 4.0 security event log events. Technically Windows events Read More...
Filed under: , ,
Help! Someone has deleted events from my Windows event log!
10 August 07 03:59 PM | Eric Fitzgerald | 1 Comments   
From time to time I hear this, and it usually turns out not to be the case. I'll begin with a little background. First, The eventlog service does not have (and never did have) any public or private API to delete individual events- there is a log clear Read More...
Filed under: ,
Documentation on the Windows Vista and Windows Server 2008 Security Events
31 July 07 02:36 PM | Eric Fitzgerald | 2 Comments   
I'm hearing lots of complaints that we don't have KB articles on these yet. Doriansoft has a blog post complaining that the " add 4096 " rule doesn't work because we collapsed the logon events into a single success event and failure event (from 2 success Read More...
Filed under: , , ,
The Trouble With Logoff Events
08 May 07 01:37 PM | Eric Fitzgerald | 1 Comments   
A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I'd bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense Read More...
Filed under: , ,
Enumerating Stuff in AD when all you see is GUIDs in Audit Records
03 May 07 01:19 PM | Eric Fitzgerald | 0 Comments   
A lot of things in Active Directory audit events show up as GUIDs but are not translated. Why is that? Well, we only translate one kind of AD guid, the objectGUID. However AD uses GUIDs in several ways. For instance, group policy objects have a common Read More...
Filed under:
Where do I get my information on Windows auditing?
06 February 07 02:12 PM | Eric Fitzgerald | 1 Comments   
You might want to know where I go to get my information on audit events and so forth. Mostly I go to the source code or one of our developers. For continuity-of-employment reasons I won't be posting a link to that here ;-) We have some old specs and some Read More...
Filed under: ,
Determining Whether a User Logged on Using A Smart Card
05 February 07 04:40 PM | Eric Fitzgerald | 0 Comments   
I get asked the question pretty regularly how to determine from the security log whether a user logged on using a smart card or not. The short answer is, you can't be absolutely certain. The longer answer is, well, you can be pretty certain for the time Read More...
Filed under: ,
Trustworthiness of Information in Audit Records
20 September 06 10:57 AM | Eric Fitzgerald | 1 Comments   
I get asked quite often "why is the Workstation name missing from some events?" I've explained that elsewhere . But this raises another issue that many of you might not have considered, and I want to take a few minutes to explain. The Windows Security Read More...
Filed under:
A good 3rd-party reference to the Windows security event log
20 March 06 11:31 AM | Eric Fitzgerald | 1 Comments   
Randy Franklin Smith has a site with a very good reference to security event log events. Randy also does training on Windows security log analysis. Read More...
Filed under: ,
What the heck are "Primary User" and "Client User"?
16 December 05 10:01 AM | Eric Fitzgerald | 1 Comments   
Windows has a feature called "impersonation", by which a process running as one user account can assume, on a single thread, the identity of another logged-on user account, for purposes of performing some action on behalf of the second account. This makes Read More...
Filed under:
How does Windows Audit meet Common Criteria compliance standards?
30 November 05 05:44 PM | Eric Fitzgerald | 1 Comments   
Actually most of our auditing work in Windows has historically been done in order to meet ITSec C2 , and later Common Criteria EAL4 requirements. I just stumbled on this document, which describes the requirements and what we audit to meet the requirements. Read More...
Filed under:
Preventing Log Evasion in IIS
20 September 05 05:19 PM | Eric Fitzgerald | 1 Comments   
Evidently it's possible to craft an IIS request that will cause IIS not to log request detail. Here is a link to an article which describes the problem, and how to work around it. This is non-Microsoft content, so YMMV. Read More...
Filed under:
More Posts Next page »
Page view tracker