|
The Windows security log is vital to successfully monitor all aspects of Windows
security. However, it's safe to say that it’s also the most poorly documented
area of Windows 2000 and Windows Server 2003. For most security events,
Microsoft’s documentation simply restates the static text related to the event.
While it provides some information, it's filled with inaccuracies. Further,
there is insufficient guidance and very little background information for
individual security events, with most events described in context with others.
Most disappointing, there are no suggested courses of remedial action.
In addition to poor event documentation, security log event IDs and codes vary
from one Windows version to the next, making security log knowledge even more
obscure and complicating the design of programs that monitor the security log.
I have reverse-engineered every event ID in the security log, along with the
codes and other detailed fields within each event. In this book, I provide an
understanding of security events in relation to each other. I’ve also linked
user-level and administrator-level actions with patterns of events. Now, you can
understand all the details provided by the security log, information which can
tell a lot of stories if you know how to read the tea leaves.
In Chapter 2, I’ll introduce you to the Windows audit policy (including the
relationship between audit polices and audit categories), the Microsoft
Management Console (MMC) Event Viewer console, and the format of security
events. Even if you're an experienced Windows Server administrator, I recommend
at least scanning this chapter. I’ve included a few valuable nuggets that might
well be new to you.
This book is part of the
Security Log Resource Kit.
Buy it now!
Chapter 3 introduces you to the concepts of Windows authentication and logon
(which serves as the foundation for subsequent chapters), then delves into the
closely related Account Logon and Logon/Logoff audit categories. Chapter 4
discusses how Windows logs authentication activity by using Account Logon
events, and Chapter 5 deals with logon events in the Logon/Logoff category.
In Chapter 6, we examine the Detailed Tracking category, and I show you how to
track programs that users execute. In Chapter 7, you’ll find out how to monitor
file-system activity and access attempts on other types of objects by using the
Object Access category. Chapter 8 shows you how to audit changes to users,
groups, and computer accounts by tracking Account Management events, and Chapter
9 reveals how to use Directory Access events to track changes to Active
Directory (AD) objects such as organizational units (OUs) and Group Policy
objects (GPOs). Chapters 10, 11, and 12 deal with the Privilege Use,
Policy Change, and System Event categories, respectively.
Next >
Chapter 2 - Audit Policies and Event Viewer
|
|
The Windows Server
2003
Security Log Revealed is only available as part of the
Security Log Resource Kit.
Pick the edition that's right for you!
|