Well the moment has finally arrived when I can announce that the Windows Server 2003 Security Log posters have been mailed to all requesters in the United States! (Selected countries will be mailed next.) The post office picked them up on Monday so please, please don’t write to us with emails about non receipt until at least next Tuesday. We hope you love the new poster; we certainly worked hard on it. Thank you for your patience while we worked on this complex project involving so many parties. By the way the WAITINGONPOSTER coupon code still works if you want to save $100 on the Security Log Secrets Interactive Edition DVD.
It’s been quiet on the Microsoft security bulletin front with only minor revisions to existing bulletins since my last update.
Turn on auditing on workstations
Before I go, one tip with regard to security logs on windows workstations: turn on auditing on workstations even if you can’t collect the logs. I was recently supporting an investigation involving unauthorized access to certain critical workstations at a client’s network. If you’ve attended any of my training you are aware that domain controller security logs can provide a record of domain accounts that access workstations but that’s subject to certain limitations. For instance, Account Logon events on domain controller logs can’t tell you what type of logon occurred, and more importantly, only the workstation’s log tells you about attempts to log on with local accounts.
In this investigation it was crucial to distinguish between remote desktop logons and logons to the local console. Unfortunately most versions of Windows workstation operating systems have all auditing turned off by default and security log maximum size is way too small. Sadly, I was very limited in how much information I can provide to my client. But that doesn’t have to happen to you.
I highly recommend that you use group policy to configure all workstations with an appropriate audit policy and a much larger maximum security log size. At the minimum, I recommend 100 MB for the security log on workstations. This will not cause a performance penalty and workstations usually have plenty of disk space. As far as audit policy, I recommend enabling Account Logon, Logon/Logoff, Process Tracking, Account Management, System Events and Policy Change. I know this sounds like a lot but your users will never noticed the difference and you will build a wealth of evidence when that investigation inevitably comes around.
One other thing, the client, a small business, also lacked any type of log management tool making it impossible to go back more than a few weeks even on the domain controller security logs. Solving that problem doesn’t need to be expensive. Many of our sponsors provide log management solutions that fit their needs and budget of small businesses.
Until next time fellow log grokkers, monitor those logs and stay mitigated.
