Re: [Full-Disclosure] Windows 2000 Logout events are not monitored!

From: Bill Royds (full-disclosure_at_royds.net)
Date: 11/11/03

  • Next message: Thorsten Mayr: "AW: [Full-Disclosure] Windows RPC 4 ? [Exploit]"
    To: <Darren.L.Bennett@saic.com>
    Date: Mon, 10 Nov 2003 19:44:21 -0500
    
    

    The logout even is event number 540 in security log. All the Win2K I manage
    have these entries for every logout. Check your security policy to ensure
    that you are recording them.
    There are in Local Security Policy MMS under Local Policies/Audit
    Events/{Audit account logon events,Audit logon events}. YOu want both
    success and failure to caputre a successful logoff.

    ----- Original Message -----
    From: "Darren Bennett" <DARREN.L.BENNETT@saic.com>
    To: "Full Disclosure" <full-disclosure@lists.netsys.com>
    Sent: Monday, November 10, 2003 12:42 PM
    Subject: [Full-Disclosure] Windows 2000 Logout events are not monitored!

    : It's possible this has been on the list before but I'm going to check
    : anyway. With windows 2000 (server is the platform I have tested), when
    : auditing of login/logout events is enabled, only login events are
    : recorded. This appears to be a bug with Windows. I have tried applying a
    : patch from Microsoft that is supposed to fix this and the patch didn't
    : work. Anyone else seen this behavior? Any suggestions on how I could
    : record logout events without relying on MS?
    :
    : -Thanks,
    :
    : Darren
    :
    :
    : -----------------------------------------------
    : Darren Bennett - CISSP
    : Sr. Systems Administrator/Manager
    : Science Applications International Corporation
    : Advanced Systems Development and Integration
    : -----------------------------------------------
    :
    : _______________________________________________
    : Full-Disclosure - We believe in it.
    : Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Thorsten Mayr: "AW: [Full-Disclosure] Windows RPC 4 ? [Exploit]"