The Windows security log is vital to successfully monitor all aspects of Windows security. However, it's safe to say that it’s also the most poorly documented area of Windows 2000 and Windows Server 2003. For most security events, Microsoft’s documentation simply restates the static text related to the event. While it provides some information, it's filled with inaccuracies. Further, there is insufficient guidance and very little background information for individual security events, with most events described in context with others. Most disappointing, there are no suggested courses of remedial action.
In addition to poor event documentation, security log event IDs and codes vary from one Windows version to the next, making security log knowledge even more obscure and complicating the design of programs that monitor the security log.
I have reverse-engineered every event ID in the security log, along with the codes and other detailed fields within each event. In this book, I provide an understanding of security events in relation to each other. I’ve also linked user-level and administrator-level actions with patterns of events. Now, you can understand all the details provided by the security log, information which can tell a lot of stories if you know how to read the tea leaves.
In Chapter 2, I’ll introduce you to the Windows audit policy (including the relationship between audit polices and audit categories), the Microsoft Management Console (MMC) Event Viewer console, and the format of security events. Even if you're an experienced Windows Server administrator, I recommend at least scanning this chapter. I’ve included a few valuable nuggets that might well be new to you.
This book is part of the
Security Log Resource Kit.
Buy it now!
Chapter 3 introduces you to the concepts of Windows authentication and logon (which serves as the foundation for subsequent chapters), then delves into the closely related Account Logon and Logon/Logoff audit categories. Chapter 4 discusses how Windows logs authentication activity by using Account Logon events, and Chapter 5 deals with logon events in the Logon/Logoff category.
In Chapter 6, we examine the Detailed Tracking category, and I show you how to track programs that users execute. In Chapter 7, you’ll find out how to monitor file-system activity and access attempts on other types of objects by using the Object Access category. Chapter 8 shows you how to audit changes to users, groups, and computer accounts by tracking Account Management events, and Chapter 9 reveals how to use Directory Access events to track changes to Active Directory (AD) objects such as organizational units (OUs) and Group Policy objects (GPOs). Chapters 10, 11, and 12 deal with the Privilege Use, Policy Change, and System Event categories, respectively.
Next > Chapter 2 - Audit Policies and Event Viewer
This book is part of the
Security Log Resource Kit.
Buy it now! |
|
The Windows Server 2003 Security Log Revealed
is only available as part of the Security Log Resource Kit.
Pick the edition that's right for you!
|
