Randy Franklin Smith - Articles on security log

most recent | by year | by subject

Checking the Security Event Log for Logon Failures Caused by Disabled Accounts
Here are the logon failure codes and event IDs that you need to watch for in the Security event log when looking for disabled account logon attempts.<more>

Requiring DC Authentication to Unlock Workstations. Find out how to require DC authentication to unlock user workstations and why you might not want to. <more>

Checking Audit Logs for Tampering. Four specific situations indicate that your audit logs might have been altered. <more>

Access Levels for Security Administrators. Ideally, security-monitoring and administrative responsibilities should be assigned to different people. Here's a framework for the access levels security administrators should have and some recommended tools to help them do their job. <more>

Auditing Changes to Shared Folders. Learn how to enable auditing to identify when an administrator creates or deletes a shared folder. <more>

Disabling Logging of Anonymous Logon Events. Do you log anonymous logon events on your servers? Find out how dangerous these events are and whether you can disable or block them from your security logs. <more>

Using Audit Policies to Track Activities Performed by Specific Users. Learn which audit policies you should change to track the activities performed by specific user IDs. <more>

Kerberos Ticket Expirations. Find out whether it's normal to log a high number of expired tickets in a short period of time. <more>

Judging the Importance of an Event ID 553. Find out whether this event in your Security log is signaling a replay attack or simple packet duplication. <more>

Discovering the Cause of an Event ID 675. Here's how to figure out who or what is attempting to authenticate to your DC. <more>

Distinguishing User Account Reenablements from Creations. User account creations create a telltale pattern in the Security log of event ID 624, followed by several instances of event ID 642 interspersed with event IDs 626 and 628. <more>

Determining Who Enabled an Account. The answer might lie in the Security event log of your Windows DC. <more>

Locating the User Causing Failures on a Folder. Examining event ID 560 and associated event IDs 528, 540, and 592 will give you the answers you need. <more>

A Cool Log Parser Output Format. The neuroview format makes viewing your Security log output fun. <more>

Windows 2003 Security Log Account Management. Learn how to audit user and group maintenance activity for compliance and increased security. <more>

Auditing Object Access Events. Here's how SACL entries translate into events in the Security log. <more>

Configuring the Security Log. To avoid missing security events, set the log size to at least 10 MB and have the log always overwrite older events with newer events. <more>

Tracking the Programs Executed on a System. Enable the Audit process tracking audit policy and monitor for event ID 592 to discover which programs have run on a system. <more>

Tracking System Time Changes. Look for two event IDs in the Security log to determine whether someone changed the system time. <more>

Auditing Print Jobs. You can audit when a user accesses a printer, but not when a specific file is printed. <more>

Windows 2003 Security Log. An expert sheds light on the latest version of the mysterious Security log, with its cryptic event IDs and codes and sometimes inaccurate documentation. <more>

Monitoring Important Security Events. Learn to use your Security log to detect suspicious activity by monitoring logons, important system events, and file access. <more>

Monitoring AD Changes. Two Domain Controllers Policy settings give you a wealth of information about AD events, if you know where to look in the Security log. <more>

Win2K Security Log Roundup. Use these audit categories to track application use and changes to user rights, Group Policy, and system events. <more>

Keeping Tabs on Object Access. Use Win2K's Audit object access category to track direct and indirect access to objects such as files, folders, and registry keys. <more>

Mining the Win2K Security Log. Track changes to user accounts, groups, and policies. <more>

Audit Account Logon Events. Win2K's new Security log category offers plenty of information about Kerberos and NTLM events. <more>

Tracking Logon and Logoff Activity in Win2K. Learn how to access the Win2K Security log and how to track logon and logoff activity. <more>

Archiving and Analyzing the NT Security Log. Learn to use the system events and policy change security events auditing categories to uncover tampering in the NT Security log and trip up intruders. <more>

Protecting the NT Security Log. Explore how to use the system events and policy change auditing categories to trip up intruders. <more>

Monitoring Privileges and Administrators in the NT Security Log. With the privilege use and account management security events categories, you can track privileges as users exercise them and follow the actions of administrators and account operators. <more>

Interpreting the NT Security Log. To use the Security Log, you need to understand three of the most important categories of security events: logon and logoff, object access, and process tracking. <more>

Introducing the NT Security Log. Learn how to get the most benefits out of your NT security log. <more>

Logging Remote Desktop Connections. Here's a cautionary tale that illustrates the importance of enabling auditing on workstations and member servers as well as DCs. <more>

Get this valuable commentary each month as soon as Microsoft releases security updates!

Free log parser scripts, a clear explanation of Microsoft's latest security bulletin, helpful security tips, how-to's and more.