Welcome to MSDN Blogs Sign in | Join | Help

Browse by Tags

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

I've written twice ( here and here ) about the relationship between the "old" event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the "new" security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) Read More...
Posted Wednesday, June 10, 2009 4:09 PM by Eric Fitzgerald | 1 Comments
Filed under: , ,

Minimizing Directory Service Audit Event Noise

I've written before on noise reduction in the Windows security event log. I've also written to describe how object access auditing works . But, I still get questions on how to reduce noise from object access events. The other day I got that question, Read More...
Posted Thursday, September 04, 2008 2:51 PM by Eric Fitzgerald | 0 Comments
Filed under: ,

Tracking User Logon Activity Using Logon Events

I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable . It works Read More...
Posted Wednesday, August 20, 2008 4:32 PM by Eric Fitzgerald | 1 Comments
Filed under: , ,

ACS Event Retention Mechanism

I get a lot of questions about how ACS event retention works. So here you go, I'm blogging it so I can just answer with a link :-) There are two DWORD registry values which affect backlog transmission. Both are on the collector machine under HKLM\System\CurrentControlSet\Services\AdtServer\Parameters. Read More...
Posted Thursday, July 17, 2008 3:56 PM by Eric Fitzgerald | 0 Comments
Filed under:

ACS' first bug from being too performant

We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode and dnsZone objects, don't properly get looked up. Some background: the event log in Windows prefers to log invariants such as message IDs, parameter Read More...
Posted Wednesday, July 16, 2008 10:48 AM by Eric Fitzgerald | 0 Comments
Filed under: ,

If you're gonna herd bots, do it from New Zealand!

A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot botnet, citing the negative consequences a conviction would have on the young man's future prospects. See the story here . Well duh. The whole theory of crime Read More...
Posted Wednesday, July 16, 2008 10:37 AM by Eric Fitzgerald | 0 Comments
Filed under: ,

WEvtUtil Scripting

If you haven't used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you're missing out. The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn't suffer from any of the drawbacks Read More...
Posted Wednesday, July 16, 2008 9:13 AM by Eric Fitzgerald | 1 Comments
Filed under: ,

Ned on Auditing

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe). Well, Ned has a blog and I thought I'd point Read More...
Posted Saturday, April 19, 2008 8:14 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

Windows Server 2008 Security Events Posted

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference. Check it out in the Knowledge Base . Even better, they documented all the events in spreadsheet format, and that's Read More...
Posted Wednesday, April 16, 2008 11:09 PM by Eric Fitzgerald | 0 Comments
Filed under: ,

Shameless Self-Promotion

There's one topic that I know is on everyone's mind- no, not American Idol - it's "What's new in Auditing in Windows Server 2008?" Well, funny that you brought that up. My friend Jesper Johanssen just wrote a new book, the Windows Server 2008 Security Read More...
Posted Wednesday, March 05, 2008 12:47 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

ACS Event Transformation Demystified

I've decided to start dumping my knowledge of ACS for posterity's sake. My first installment is here, and it's an excerpt from an external email I put together which describes how event transformation works on ACS. Transformation is performed on the agent Read More...
Posted Wednesday, February 27, 2008 5:43 PM by Eric Fitzgerald | 0 Comments
Filed under: , , ,

You learn something new every day- Logon Type 0

Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event ( 528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field Read More...
Posted Tuesday, February 26, 2008 12:49 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

ACS Tidbits

Well there has been a lot happening on my old project, ACS (Audit Collection Services, a feature of SystemCenter Operations Manager 2007 ). Two more of our partners, Enterprise Certified and NetPro , have released compliance solutions on top of ACS. Another Read More...
Posted Friday, February 01, 2008 5:04 PM by Eric Fitzgerald | 1 Comments
Filed under: ,

I always wondered who Björn was...

OK here's something I just remembered today. I may be the last person who remembers this so it's important that I record this somewhere. In the RTM bits of Windows NT 4.0, for the German language release only, someone snuck in a string resource into the Read More...
Posted Thursday, January 17, 2008 2:47 PM by Eric Fitzgerald | 1 Comments
Filed under:

Why does Windows XP generate so many logon failure events?

I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design. (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no Read More...
Posted Friday, November 09, 2007 3:23 PM by Eric Fitzgerald | 3 Comments
Filed under: ,
More Posts Next page »
 
Page view tracker