Windows Security Logging and Other Esoterica

thoughts from the Windows auditing team

Quick Overview of Object Access Auditing in Windows

A lot of people are unhappy with object access auditing on Windows, because what they want to know...

Author: Eric Fitzgerald Date: 03/07/2006

Default ACLs on Windows Event Logs

A question I get asked frequently: what are the default ACLs on Windows event logs? Here's the...

Author: Eric Fitzgerald Date: 03/01/2006

Whetting your appetite for Windows Vista

Here's a cut & paste from one of my Vista machines. This is one of our new events. I'm including...

Author: Eric Fitzgerald Date: 12/20/2005

What the heck are "Primary User" and "Client User"?

Windows has a feature called "impersonation", by which a process running as one user account can...

Author: Eric Fitzgerald Date: 12/16/2005

EU Passes New Log Retention Rule for Telcos

The BBC reports that the European Parliament has approved rules, as an anti-terror measure, to...

Author: Eric Fitzgerald Date: 12/14/2005

Setting SACLs on Services

Have you ever wanted a record of admin activity regarding service management? For example, who...

Author: Eric Fitzgerald Date: 12/09/2005

Auditing Flaw in Microsoft SQL Server 2000

https://support.microsoft.com/default.aspx?scid=kb;en-us;910741

Author: Eric Fitzgerald Date: 12/05/2005

Privilege Use- what do we audit, and when?

Odd thing today- I got two questions about the obscure "FullPrivilegeAuditing" registry setting- so...

Author: Eric Fitzgerald Date: 12/05/2005

How does Windows Audit meet Common Criteria compliance standards?

Actually most of our auditing work in Windows has historically been done in order to meet ITSec C2,...

Author: Eric Fitzgerald Date: 11/30/2005

What is up with Audit Collection Services?

A lot of you have been asking me to write about Audit Collection Services (ACS, which some of you...

Author: Eric Fitzgerald Date: 11/09/2005

Managed Code Developers: You no longer have an excuse!

One of my former teammates, Mark, designed and built a set of managed classes for generating audit...

Author: Eric Fitzgerald Date: 09/30/2005

Yay! A fix for EventQuery

Those of us "in the know" :-) use eventquery.vbs to export events to a delimited file, and then use...

Author: Eric Fitzgerald Date: 09/27/2005

Preventing Log Evasion in IIS

Evidently it's possible to craft an IIS request that will cause IIS not to log request detail. Here...

Author: Eric Fitzgerald Date: 09/20/2005

Multiple Events for Successful Account Creation

Here is the pattern you should expect to see when creating a local account. For domain accounts, you...

Author: Eric Fitzgerald Date: 08/29/2005

Multiple Events for Failed Account Creation

When you create a local user account on Windows, and you have enabled account management auditing,...

Author: Eric Fitzgerald Date: 08/29/2005

Logs and the Rules of Evidence

I quite frequently hear these questions: 1. My logs/log collection database aren't digitally signed,...

Author: Eric Fitzgerald Date: 08/25/2005

Delegating Access to the Security Log

I often get the question, how do I allow a group of auditors read access to my security logs without...

Author: Eric Fitzgerald Date: 08/24/2005

COMMENT MY BLOG, PLEASE!

If you have auditing questions (as opposed to general security questions), please feel free to...

Author: Eric Fitzgerald Date: 08/24/2005

Another culprit causes too many object access events.

I encountered this in the course of investigating another report of "too many object access events"....

Author: Eric Fitzgerald Date: 08/18/2005

A Voice of Sanity from SANS

I was reading SANS NewsBites, a weekly email newsletter describing significant news around...

Author: Eric Fitzgerald Date: 08/12/2005

Why don't I see the workstation name in logon events?

Top reasons: 1. In NTLM logons, it's subject to spoofing. There exist hacking tools which improperly...

Author: Eric Fitzgerald Date: 08/09/2005

Monitoring Active Directory Schema Changes

As a follow-on to my last post, I want to relate how to monitor for Active Directory schema changes....

Author: Eric Fitzgerald Date: 08/08/2005

Monitoring Group Policy Changes with Windows Auditing

I spent some time a while back analyzing logs, figuring out what you can do with group policy...

Author: Eric Fitzgerald Date: 08/04/2005

Deciphering Account Logon Events

One of the most common questions that I get about Windows Auditing is, how come you guys were so...

Author: Eric Fitzgerald Date: 08/04/2005

Keeping the noise down in your security log

[2011-04-11] This post was updated to indicate the interaction between these recommendations and the...

Author: Eric Fitzgerald Date: 01/11/2005

Auditing Changes in Windows Server 2003 SP1

DISCLAIMER: To the best of my knowledge the information here is correct. However the lawyers make me...

Author: Eric Fitzgerald Date: 12/20/2004

Events 528 and 540

Logon events. Event 528 and Event 540 are the Logon events. Event 528 is for all logons except...

Author: Eric Fitzgerald Date: 12/09/2004

<Previous