Re: Where would the changes be saved?

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 02/10/02


From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: "Patrick S. Harper" <patrick@internetsecurityguru.com>, "'Damon Sisola'" <dsisola@osius.com>, <focus-ms@securityfocus.com>
Date: Sat, 9 Feb 2002 23:21:12 -0500

You *can* do this via the machine's local security policies, in the
administrative tools. No need to edit the registry directly, although if you
wish to do so, you may want to open the .inf files in
\winnt\security\templates with a text editor. You'll see things like this:

[System Log]
MaximumLogSize = 4194240
AuditLogRetentionPeriod = 2
RetentionDays = 7
RestrictGuestAccess = 1
[Security Log]
MaximumLogSize = 4194240
AuditLogRetentionPeriod = 2
RetentionDays = 7
RestrictGuestAccess = 1
[Application Log]
MaximumLogSize = 4194240
AuditLogRetentionPeriod = 2
RetentionDays = 7
RestrictGuestAccess = 1
[Event Audit]
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 2
AuditPrivilegeUse = 2
AuditPolicyChange = 3
AuditAccountManage = 3
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 3
CrashOnAuditFull = 1

Laura
----- Original Message -----
From: "Patrick S. Harper" <patrick@internetsecurityguru.com>
To: "'Damon Sisola'" <dsisola@osius.com>; <focus-ms@securityfocus.com>
Sent: Thursday, February 07, 2002 4:25 PM
Subject: RE: Where would the changes be saved?

> OK, Say I told the system log all failed logon attempts. It would have
> to store that info somewhere (It used to do it in the registry if I
> remember correctly) so it will have it on boot to load the policy???
>
> -----Original Message-----
> From: Damon Sisola [mailto:dsisola@osius.com]
> Sent: Thursday, February 07, 2002 2:45 PM
> To: 'Patrick S. Harper'; focus-ms@securityfocus.com
> Subject: RE: Where would the changes be saved?
>
>
> In the registry at: HKLM\system\currentcontrolset\services\eventlog
>
> there will be a Maxsize and retention value for each of the 3 logs.
>
> Damon
>
> -----Original Message-----
> From: Patrick S. Harper [mailto:patrick@internetsecurityguru.com]
> Sent: Thursday, February 07, 2002 12:18 PM
> To: focus-ms@securityfocus.com
> Subject: Where would the changes be saved?
>
>
> When you make a change to a windows 2000 servers auditing and log
> rotation where is that info stored? I have looked all through the
> registry and searched all over the HDD and found nothing but a few
> .dll's and .inf files. If I make changes to the .inf files directly it
> does not affect the policy. This is for a machine that is standalone or
> in an NT4 domain so pushing it out is not an option. Any advice
> welcome. Thanks
>
> Patrick Harper
>



Relevant Pages

  • Re: Where would the changes be saved?
    ... >> to store that info somewhere (It used to do it in the registry if I ...
    (Focus-Microsoft)
  • RE: Where would the changes be saved?
    ... Be careful with the 'CrashOnAuditFull = 1'...If you do not keep good ... AuditLogRetentionPeriod = 2 ... RetentionDays = 7 ... > to store that info somewhere (It used to do it in the registry if I ...
    (Focus-Microsoft)