Understanding Authentication and Logon in the Security Log
Inside Windows, authentication and logon are 2 different activities and this is
reflected by 2 different categories in the security log with confusingly similar
names: "Account Logon" and "Logon/Logon". In this webinar Randy
will explain the difference and unique values of both categories and why the events
they report should be interpreted very differently depending on whether the events
came from a domain controller, member server or workstation.
Monitoring Kerberos Authentication with the Windows Security Log
Kerberos is Windows' default authentication protocol and the Account Logon events
you see in domain controller security logs are closely connected to Kerberos ticket
operations. These Kerberos generated events provide a wealth of information including
the answer to questions like "Who is logging onto which workstation? What servers
do they access next? Where are these password guessing attempts coming from?"
- all without going further than your domain controller security logs. In this in-depth
webinar you will learn how Kerberos authentication works and how to interpret Kerberos
security log events to answer these questions.
Catching Policy and Configuration Changes with the Security Log
This webinar shows you how to find important security policy changes to your servers
as soon as they happen. We're talking about password policy, audit policy, user
rights assignment and other high priority, suspicious events that could indicate
either an intrusion or an innocent but dangerous "fat-finger" by an administrator.
Some events tell you who made the change and others leaving you hanging. I'll
reveal the good, bad and ugly on that score so you don't needlessly waste time
looking for information that doesn't exist.
Monitoring User Accounts with the Windows Security Log
In this fast paced webinar, Randy Franklin Smith will show you how to use the Windows
security log to track status changes and other modifications to AD user accounts
which is vital to good security and regulatory compliance. You will learn how to
track password resets by the help desk, recognize previously disabled user accounts
that are suddenly enabled, newly created user accounts and more. You will learn
about crucial inconsistencies and undocumented phenomena in Windows 2000 and 2003
that cause a high number of false positives in typical security log reports and
monitoring rules. With this information you'll be able to weed out the noise
and concentrate on the real changes.
Tracking File Access with the Security Log
Randy Franklin Smith will show you how to use the Windows security log to track
status changes and other modifications to AD user accounts which is vital to good
security and regulatory compliance. You will learn how to track password resets
by the help desk, recognize previously disabled user accounts that are suddenly
enabled, newly created user accounts and more. You will learn about crucial inconsistencies
and undocumented phenomena in Windows 2000 and 2003 that cause a high number of
false positives in typical security log reports and monitoring rules. With this
information you'll be able to weed out the noise and concentrate on the real
Leveraging the Windows Security Log for Compliance
The Windows security log provides a wealth of information that facilitates compliance
with the monitoring and audit trail requirements of Sarbanes Oxley and other legislation
such as HIPPA and GLBA. However, the security log is also cryptic, requires a detailed
understanding of the Windows security subsystem, and has no built-in reporting or
collection functionality. In this technical session, you'll learn the key event
IDs for compliance, how to interpret patterns of events, about obscure differences
between Windows 2000 and 2003 that can cause inaccurate reports and alerts, and
more. You'll receive a security log check list specially designed for compliance
and my recommended audit policy for domain controllers and critical servers.
Understanding Logon and Logoff Events from the Windows Security Log
When you compare a user's actual logon and logoff behavior to the logon and
logoff events in the security log things don't add up and I will explain why
in next week's webinar. The logon/logoff events you see in the security log
depend on what type of account with which the user logs on and whether you are looking
at the security log of a workstation, domain controller or member server. Register
now to find out why file servers commonly show a user logging on and off a million
times a day and what you must do to figure out exactly when a user actually did
Top 12 Suspicious Intrusion Indicators in the Security Log
Real time alerts sent to your pager is a nice idea but if you overdo it you run
the risk of "cry wolf" syndrome in which no one pays attention any more.
The key to responsive security monitoring is to limit real time alerts to events
that are clearly malicious or have a high security impact and are very unusual in
day-to-day operations. You only want the pager to go off if something truly unusual
or wrong occurs which warrants immediate investigation. In this seminar I will show
you 12 events or event patterns from the Windows security log that deserve to go
on your short list of consideration for real time alerting. I'll explain why
these events are important to investigate and why they are unlikely to produce needless
alerts in most environments.
Tracking Access Control Changes - Part 1
Being able to monitor and respond to changes in privileged and end-user access is
critical for protecting critical systems and sensitive information. HIPAA, SOX,
FISMA, GLBA all share access control over privileged information or access as a
common requirement. In this 2 part series you will find out how to detect access
changes at both the object permission level and group membership. In part 1 Randy
focuses on tracking changes in group membership using the Windows security log.
Tracking Access Control Changes - Part 2
You need to know when users are granted access and the security log provides that
information if you know where to look. Thus armed you can quickly respond to inappropriate
changes and satisfy regulatory compliance. Further, being able to report access
revocations helps you prove security procedures are followed. In part 2 of this
2-part series Randy Franklin Smith will show you how to detect access changes at
the object permission.