RE: Auditing a reboot
From: Brad Judy (judy@colorado.edu)
Date: 04/21/03
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #134"
- In reply to: Hillensbeck, Preston: "RE: Auditing a reboot"
- Next in thread: Logan F.D. Greenlee: "RE: Auditing a reboot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Brad Judy" <judy@colorado.edu> To: "'Hillensbeck, Preston'" <PHillensbeck@sfbcic.com>, <focus-ms@securityfocus.com> Date: Mon, 21 Apr 2003 10:49:39 -0600
I do not know of a way to do it in Windows 2000 off of the top of my
head. However, this is logged by default in Windows 2003 Server.
Brad Judy
Information Technology Services
University of Colorado at Boulder
> -----Original Message-----
> From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
> Sent: Monday, April 21, 2003 8:34 AM
> To: 'Brad Judy'; focus-ms@securityfocus.com
> Subject: RE: Auditing a reboot
>
>
> I guess I should have been more specific! What I am trying
> to audit is an event that says who or what rebooted the
> machine. I see the normal 6005 and 6009 event messages, but
> I would really like to know who initiated the reboot. Is
> this possible?
>
> -----Original Message-----
> From: Brad Judy [mailto:judy@colorado.edu]
> Sent: Monday, April 21, 2003 9:30 AM
> To: 'Hillensbeck, Preston'; focus-ms@securityfocus.com
> Subject: RE: Auditing a reboot
>
>
> There are several items that are logged on startup, some of
> which may also be logged at other times. Try the normal
> first item to be logged - an event 6009 that states the basic
> OS version information. See this KB article for more info -
> http://support.microsoft.com/default.aspx?scid=kb;EN-US;196452
>
> Note that this is an event that occurs on startup regardless
> of how the machine was shut down. Other events may be logged
> as discussed in the article above. If you want something
> more specific you may have to look elsewhere.
>
> Brad Judy
>
> Information Technology Services
> University of Colorado at Boulder
>
> > -----Original Message-----
> > From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
> > Sent: Monday, April 21, 2003 7:14 AM
> > To: 'focus-ms@securityfocus.com'
> > Subject: Auditing a reboot
> >
> >
> > How would you go about auditing when a machine is rebooted,
> > domain wise? I have looked high and low for an answer, and I
> > can't seem to find one. This is a Windows 2000 question, and
> > I am running Active Directory. I have tried auditing system
> > events, both successes and failures, but cannot get event
> > viewer to spit out the right information. Thanks in advance.
> >
> >
> >
> > --------------------------------------------------------------
> > ---------------
> > Attend Black Hat Briefings & Training Europe, May 12-15 in
> > Amsterdam, the
> > world's premier event for IT and network security experts.
> > The two-day
> > Training features 6 hand-on courses on May 12-13 taught by
> > professionals.
> > The two-day Briefings on May 14-15 features 24 top speakers
> > with no vendor
> > sales pitches. Deadline for the best rates is April 25.
> > Register today to
> > ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
> > --------------------------------------------------------------
> > ----------------
> >
>
>
>
> --------------------------------------------------------------
> ---------------
> Attend Black Hat Briefings & Training Europe, May 12-15 in
> Amsterdam, the
> world's premier event for IT and network security experts.
> The two-day
> Training features 6 hand-on courses on May 12-13 taught by
> professionals.
> The two-day Briefings on May 14-15 features 24 top speakers
> with no vendor
> sales pitches. Deadline for the best rates is April 25.
> Register today to
> ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
> --------------------------------------------------------------
> ----------------
>
-----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
------------------------------------------------------------------------------
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #134"
- In reply to: Hillensbeck, Preston: "RE: Auditing a reboot"
- Next in thread: Logan F.D. Greenlee: "RE: Auditing a reboot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
