The Windows Security Log Revealed

Chapter 1
Getting Started

This book is intended for any Information Technology (IT) or Information Security professional who needs to understand the cryptic Windows® Security log. The authors have spent countless hours experimenting with Windows audit policy and the Security log, and have carefully documented each event ID in the log.

This book is a guided tour of Windows audit policy and the Security log. We will introduce you to each of the nine Windows audit policies and the corresponding Security log event IDs. You will learn what each category of the log has to offer and how to leverage it for maximum value. We will also discuss the problem of noise—unwanted, useless log events—and what you can do to minimize it.

First, the Bad News…

You can glean a wealth of information from the Windows operating system Security log, but the mechanism isn't without problems. If you’ve spent any time working with the Security log, you’ve likely realized that each Windows computer—including each domain controller (DC)—has a discrete Security log. Each DC logs security events according to the activity that it observes but doesn’t replicate this information to the other DCs in the domain. Windows has no native capability to centrally collect, analyze, monitor, report, and archive the many Security logs that exist throughout your network.

Another problem is that the log's event descriptions and codes are cryptic and often poorly documented. As if that weren’t bad enough, Microsoft eliminates, merges, and changes the meaning of event IDs from one version of Windows to the next. In addition, the order of strings in a given event’s description sometimes changes between Windows versions. These changes can really throw a wrench in the works when you upgrade systems after having set up reports or rules that are based on an event ID or the position of a string.

Now, the Good News

In this book, we endeavor to document the Security log changes and give you tips for effectively managing them. We’ll provide some practical guidance as to which events and subcategories you should audit. And we’ll help fill in the gaps in the security settings and log information.

In Chapter 2, we’ll introduce you to the Windows audit policy (including audit policy categories and policy settings), the Microsoft Management Console (MMC) Event Viewer, and the format of Security log events. We’ll explain how you can use the new policy subcategories to fine-tune your audit policy and to make sure that you’re catching the events that you want. We’ll tell you about a couple of new command-line tools that are essential for configuring and understanding auditing. And we’ll introduce you to event subscriptions and alerting. Even if you're an experienced Windows Server administrator, we recommend that you read—or at least scan—this chapter, which includes valuable nuggets of information that might well be new to you.

Chapter 3 will introduce Windows authentication and logon (concepts that serve as a foundation for subsequent chapters) and will delve into the closely related Account Logon and Logon/Logoff audit policy categories. Chapter 4 will discuss how Windows logs authentication activity by using Account Logon events, and Chapter 5 will deal with logon events in the Logon/Logoff category.

In Chapter 6, we’ll examine the Detailed Tracking category, and we’ll show you how to track programs that users execute. In Chapter 7 , you’ll find out how to use the Object Access category to monitor file-system activity and access attempts on other types of objects. Chapter 8 will show you how to audit changes to users, groups, and computer accounts by tracking events in the Account Management category, and Chapter 9 will reveal how to use events in the Directory Service Access category to track changes to Active Directory (AD) objects such as organizational units (OUs) and Group Policy objects (GPOs).

Chapters 10, 11, and 12 will deal with the Privilege Use, Policy Change, and System categories, respectively. And in Chapter 13, we’ll give you some pointers to manage event logs from multiple computers on an enterprise system.

Bottom Line

Windows can generate a detailed audit record of security events on each system. But exploiting that information is a lot like mining low-grade ore: You must carry out a laborious refining process before you can get to the gold.

Unless your needs are limited to occasional investigations, you'll want some type of automated solution for collecting, monitoring, reporting, and archiving the Security logs that are scattered throughout your network. Many such tools are on the market. The two most important criteria in choosing which product to use are 1) whether the product can meet your scalability needs and 2) whether it provides the ability to build sophisticated alerts and rules based on specific string positions within an event’s description. Our contacts at Microsoft indicate that this latter capability will become even more important for future versions of Windows.

Next Chapter

Back to top

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.




Additional Resources