The Security Log Mini-Seminar Series for Windows Server 2003

Quick focused learning on key areas of the security log

  • Covering Windows Server 2003 security log events
  • Delivered as a DVD
  • Slide handouts included as PDFs

Understanding Authentication and Logon in the Security Log

Inside Windows, authentication and logon are 2 different activities and this is reflected by 2 different categories in the security log with confusingly similar names: "Account Logon" and "Logon/Logon". In this webinar Randy will explain the difference and unique values of both categories and why the events they report should be interpreted very differently depending on whether the events came from a domain controller, member server or workstation.

15 min.

Monitoring Kerberos Authentication with the Windows Security Log

Kerberos is Windows' default authentication protocol and the Account Logon events you see in domain controller security logs are closely connected to Kerberos ticket operations. These Kerberos generated events provide a wealth of information including the answer to questions like "Who is logging onto which workstation? What servers do they access next? Where are these password guessing attempts coming from?" - all without going further than your domain controller security logs. In this in-depth webinar you will learn how Kerberos authentication works and how to interpret Kerberos security log events to answer these questions.

34 min.

Catching Policy and Configuration Changes with the Security Log

This webinar shows you how to find important security policy changes to your servers as soon as they happen. We're talking about password policy, audit policy, user rights assignment and other high priority, suspicious events that could indicate either an intrusion or an innocent but dangerous "fat-finger" by an administrator. Some events tell you who made the change and others leaving you hanging. I'll reveal the good, bad and ugly on that score so you don't needlessly waste time looking for information that doesn't exist.

44 min.

Monitoring User Accounts with the Windows Security Log

In this fast paced webinar, Randy Franklin Smith will show you how to use the Windows security log to track status changes and other modifications to AD user accounts which is vital to good security and regulatory compliance. You will learn how to track password resets by the help desk, recognize previously disabled user accounts that are suddenly enabled, newly created user accounts and more. You will learn about crucial inconsistencies and undocumented phenomena in Windows 2000 and 2003 that cause a high number of false positives in typical security log reports and monitoring rules. With this information you'll be able to weed out the noise and concentrate on the real changes.

43 min.

Tracking File Access with the Security Log

Randy Franklin Smith will show you how to use the Windows security log to track status changes and other modifications to AD user accounts which is vital to good security and regulatory compliance. You will learn how to track password resets by the help desk, recognize previously disabled user accounts that are suddenly enabled, newly created user accounts and more. You will learn about crucial inconsistencies and undocumented phenomena in Windows 2000 and 2003 that cause a high number of false positives in typical security log reports and monitoring rules. With this information you'll be able to weed out the noise and concentrate on the real changes.

43 min.

Leveraging the Windows Security Log for Compliance

The Windows security log provides a wealth of information that facilitates compliance with the monitoring and audit trail requirements of Sarbanes Oxley and other legislation such as HIPPA and GLBA. However, the security log is also cryptic, requires a detailed understanding of the Windows security subsystem, and has no built-in reporting or collection functionality. In this technical session, you'll learn the key event IDs for compliance, how to interpret patterns of events, about obscure differences between Windows 2000 and 2003 that can cause inaccurate reports and alerts, and more. You'll receive a security log check list specially designed for compliance and my recommended audit policy for domain controllers and critical servers.

Understanding Logon and Logoff Events from the Windows Security Log

When you compare a user's actual logon and logoff behavior to the logon and logoff events in the security log things don't add up and I will explain why in next week's webinar. The logon/logoff events you see in the security log depend on what type of account with which the user logs on and whether you are looking at the security log of a workstation, domain controller or member server. Register now to find out why file servers commonly show a user logging on and off a million times a day and what you must do to figure out exactly when a user actually did logout.

Top 12 Suspicious Intrusion Indicators in the Security Log

Real time alerts sent to your pager is a nice idea but if you overdo it you run the risk of "cry wolf" syndrome in which no one pays attention any more. The key to responsive security monitoring is to limit real time alerts to events that are clearly malicious or have a high security impact and are very unusual in day-to-day operations. You only want the pager to go off if something truly unusual or wrong occurs which warrants immediate investigation. In this seminar I will show you 12 events or event patterns from the Windows security log that deserve to go on your short list of consideration for real time alerting. I'll explain why these events are important to investigate and why they are unlikely to produce needless alerts in most environments.

Tracking Access Control Changes - Part 1

Being able to monitor and respond to changes in privileged and end-user access is critical for protecting critical systems and sensitive information. HIPAA, SOX, FISMA, GLBA all share access control over privileged information or access as a common requirement. In this 2 part series you will find out how to detect access changes at both the object permission level and group membership. In part 1 Randy focuses on tracking changes in group membership using the Windows security log.

43 min.

Tracking Access Control Changes - Part 2

You need to know when users are granted access and the security log provides that information if you know where to look. Thus armed you can quickly respond to inappropriate changes and satisfy regulatory compliance. Further, being able to report access revocations helps you prove security procedures are followed. In part 2 of this 2-part series Randy Franklin Smith will show you how to detect access changes at the object permission.

20 min.

Return to Resource Kits