Re: [Full-Disclosure] Windows 2000 Logout events are not monitored!

From: Bill Royds (full-disclosure_at_royds.net)
Date: 11/11/03

  • Next message: Thorsten Mayr: "AW: [Full-Disclosure] Windows RPC 4 ? [Exploit]"
    To: <Darren.L.Bennett@saic.com>
    Date: Mon, 10 Nov 2003 19:44:21 -0500
    
    

    The logout even is event number 540 in security log. All the Win2K I manage
    have these entries for every logout. Check your security policy to ensure
    that you are recording them.
    There are in Local Security Policy MMS under Local Policies/Audit
    Events/{Audit account logon events,Audit logon events}. YOu want both
    success and failure to caputre a successful logoff.

    ----- Original Message -----
    From: "Darren Bennett" <DARREN.L.BENNETT@saic.com>
    To: "Full Disclosure" <full-disclosure@lists.netsys.com>
    Sent: Monday, November 10, 2003 12:42 PM
    Subject: [Full-Disclosure] Windows 2000 Logout events are not monitored!

    : It's possible this has been on the list before but I'm going to check
    : anyway. With windows 2000 (server is the platform I have tested), when
    : auditing of login/logout events is enabled, only login events are
    : recorded. This appears to be a bug with Windows. I have tried applying a
    : patch from Microsoft that is supposed to fix this and the patch didn't
    : work. Anyone else seen this behavior? Any suggestions on how I could
    : record logout events without relying on MS?
    :
    : -Thanks,
    :
    : Darren
    :
    :
    : -----------------------------------------------
    : Darren Bennett - CISSP
    : Sr. Systems Administrator/Manager
    : Science Applications International Corporation
    : Advanced Systems Development and Integration
    : -----------------------------------------------
    :
    : _______________________________________________
    : Full-Disclosure - We believe in it.
    : Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Thorsten Mayr: "AW: [Full-Disclosure] Windows RPC 4 ? [Exploit]"

    Relevant Pages

    • Re: Help (Stuck at Logout)
      ... apparently the iMac is stuck at logout: ... appeared, along with the spinning gear icon, but it hasn't progressed ... about a million windows opened up (seems like ... Shit happens. ...
      (comp.sys.mac.system)
    • Re: windows form in service
      ... i am creating a windows service. ... when i logout the windows form get closed. ... I know there is a namespace System something that allows a Windows Desktop solution to check for logout on the desktop, and it will raise an event in the running .Net solution. ...
      (microsoft.public.dotnet.framework.windowsforms)
    • Re: logon logout remote destop to server
      ... windows 2003 and sp1 ... when logging on remotly.. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... logout ...
      (microsoft.public.windows.terminal_services)
    • Re: Benefits - Background process as NT service
      ... One thing is that you logout and login as a new user all processes are shut ... exception services because services run independent from a logged in ... > as an NT Service in windows. ...
      (microsoft.public.dotnet.languages.csharp)
    • problem with Win32/service
      ... I have a Ruby On Rails application (Mongrel web server), which I have compiled to windows XP service. ... Everything works fine, but when I logout from Windows, the service is shut down. ...
      (comp.lang.ruby)