Blog

Security, et al

Randy's Blog on Infosec and Other Stuff

New Rosetta Audit Logging Kits

Wed, 07 Jul 2010 19:44:13 GMT

My new Rosetta Audit Logging Kits take the guess work out of monitoring security logs and meeting compliance requirements. Learn more here.

email this • digg • reddit • dzone
comments (0) • references (0)

My New Windows Security PowerPack Solves 3 Security Headaches and It's Free

Fri, 18 Jun 2010 06:56:07 GMT

Quest Software's Kirk Munro and I got together and solved 3 security headaches with this new PowerGUI PowerPack.

And did I mention it's free?

http://www.ultimatewindowssecurity.com/tools/wspowerpack/

email this • digg • reddit • dzone
comments (0) • references (0)

I like Tilana Reserve but...

Thu, 13 May 2010 15:48:36 GMT

I love Tilana's Continuous Data Protection - it's awesome but when are they going to support running on 64 bit workstations? Tilana is the only application holding me back from going 64 bit Windows 7 and being able to use more RAM.

email this • digg • reddit • dzone
comments (0) • references (0)

I like Camtasia but...

Thu, 13 May 2010 15:46:58 GMT

When are they going to make a few fundamental improvements like being able to run multiple processes at the same time so that you can produce in the background while editing another video?

I'm getting tired of being loyal to software products, buying each upgrade, when only cosmetic or peripheral improvements are made. I don't care about being able to automatically post my produced video online; I want better functionality in the core editing.

email this • digg • reddit • dzone
comments (0) • references (0)

Making the SharePoint Audit Log Usable

Tue, 09 Feb 2010 10:53:22 GMT

As more and more information and processes move to SharePoint, it becomes critical for compliance and security requirements to monitor and audit SharePoint activity.

I was very excited when I first learned about the SharePoint audit log but I quickly determined that in its unimproved state the SharePoint audit log is essentially unusable due to 4 key issues:

SharePoint's audit log does not provide the names of users or objects.
The SharePoint audit log fails to translate record IDs, meaning you have no idea what object or user to which a given event refers! Click here for an example of an audit event from SharePoint and then what LOGbinder does with it.
SharePoint's audit log is buried in SharePoint's SQL server content database.
To ensure the integrity of audit trails, logs must be moved from the system where they are generated to separate and security log archive. However in SharePoint, the audit log isn't really a log - it's a table in the SharePoint database. This makes it inaccessible for most log management solutions. Without the ability to collect the SharePoint audit log into a separate, secure log archive its value as a high integrity audit trail is compromised.
SharePoint's audit log has no reporting.
In Windows Sharepoint Services the log is totally inaccessible and in Office Sharepoint Services it's exposed through through a few rudimentary, impractical reports in Excel.
Windows SharePoint Services provides no interface for enabling auditing at all.
The audit log is there but without custom programming there's no way to turn it on; much less access the logs.

I'm still a software developer at heart and the problems with the SharePoint audit log finally pushed me over the edge. The result is LOGbinder SP.

LOGbinder SP is a small, efficient Windows service that monitors the internal SharePoint audit log without making any changes to your SharePoint installation.

For each event LOGbinder SP resolves the user and object IDs and other cryptic codes, producing an easy to understand, plain-English translation of the SharePoint audit event. LOGbinder SP then sends these events to the Windows event log (either the Security log or a custom log) which in turn allows you to leverage any log management solution to collect, monitor, alert, analyze, report and archive SharePoint audit logs.

Here's an example event from the SharePoint audit log pictured as delivered via Excel compared to what the event looks like after LOGbinder SP translates it.

LOGbinder SP turns this:

SharePoint Audit Log Example

LOGbinder SP is now out of beta and ready for prime-time. You can download an evaluation copy, watch a webinar on the SharePoint audit log, get your questions answered and more at: www.logbinder.com

Please try it out and tell me what you think!

email this • digg • reddit • dzone
comments (0) • references (0)

Understanding Audit Logging in SQL Server 2008 - 2/18/10 12PM US Eastern Time

Tue, 12 Jan 2010 12:08:11 GMT

With 2008, SQL Server finally has a real audit log capability. It’s flexible, high performance and can report its events directly to the Windows Security Event Log which means you can leverage the security and integrity of the security log AND take advantage of whatever log management solution you currently use to collect, monitor and report server logs.

Now you can audit changes to SQL server configuration and objects as well as commands executed against tables such as Select, Update, Delete and Insert. SQL Server 2008 auditing produces an audit log not a transaction log. That means you can audit any command and or other action in SQL Server but the audit log does not record before and after images of the actual data table rows. Again, it’s an audit log – not a transaction log.

Similar to Windows auditing, SQL Server 2008 auditing allows you to define which SQL server objects and actions you which to audit and you can limit audited activity to specific users or roles. When you enable auditing you can choose to send audit events to either binary SQL audit log files in a specified folder or to the Application or Security event logs. For obvious security and log management reasons I recommend the security log. I wish Microsoft had used different event IDs for each audit event but all SQL Server audit events show up as event ID 33205 so that means you have to look in the event details for any and all particulars about the event.

The new SQL commands for auditing include:

· CREATE SERVER AUDIT

· CREATE SERVER AUDIT SPECIFICATION

· CREATE DATABASE AUDIT SPECIFICATION

In this real training webinar I will explain those commands and show you how to setup SQL Server auditing to report events to the Security log. Then I will demonstrate a number of audit scenarios for tracking things like:

· Permission changes

· Login and role changes

· Login failures

· Commands against specific tables like SELECT and UPDATE

This real training webinar is not free. For specialized topics where finding a sponsor is not practical I’m trying out a new paid model. The fee is low and there is no sponsor presentation; your information will not be shared with anyone. It’s all deep, technical training. To register please click here.

email this • digg • reddit • dzone
comments (0) • references (0)

Venue Announced for Security Log Secrets - Los Angeles - January 25-27

Mon, 28 Dec 2009 14:19:48 GMT

The venue has been announced for my upcoming SLS class in LA. Please click here for more details on the event http://www.ultimatewindowssecurity.com/blog/default.aspx?p=137e4ecb-adb6-4c5e-806a-f87e99ad2944.

email this • digg • reddit • dzone
comments (0) • references (0)

My next webinar is a comprehensive look at reducing the problems and risks associated with passwords using the latest technologies

Thu, 03 Dec 2009 09:08:00 GMT

Password Management: Top Ways to Deal with the Necessary Evil - http://www.ultimatewindowssecurity.com/webinars/register.aspx?id=79

email this • digg • reddit • dzone
comments (0) • references (0)

New way to delegate view access to the security log in Windows Server 2008

Tue, 03 Nov 2009 07:29:32 GMT

The customSD registry value doesn't work on Windows Server 2008. Instead you must use the wevtutil command. See my updated article at http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Manage-auditing-and-security-log

email this • digg • reddit • dzone
comments (0) • references (0)

Where did "Replace auditing entries on all child objects" check box go in Active Directory Users and Computers?

Tue, 06 Oct 2009 10:15:29 GMT

I can't believe this. Well, it's Microsoft, so yes I can believe it. Where did the the "Replace auditing entries on all child objects" go in Active Directory Users and Computers? While doing some consulting for a company I just noticed that in my this check box is not present on the Auditing tab of the security settings dialog for objects in Active Directory Users and Computers.

That makes it impossible to manage auditing of AD objects using the Directory Service category of the security log.

Has anyone else noticed this? Any solutions? I'm looking at writing a script to do it but for crying out loud, you shouldn't have to.

email this • digg • reddit • dzone
comments (0) • references (0)

previous | next