RE: Auditing a reboot

From: Hillensbeck, Preston (PHillensbeck@sfbcic.com)
Date: 04/21/03

  • Next message: Damien @ HammerheadTech.net: "RE: interoperability of VPN checkpoint FW1 to ISA"
    From: "Hillensbeck, Preston" <PHillensbeck@sfbcic.com>
    To: "'Logan F.D. Greenlee'" <lgreenlee@ciretose.net>, focus-ms@securityfocus.com
    Date: Mon, 21 Apr 2003 15:49:28 -0500
    
    

    This is how I will have to go about it then, since I don't have Windows 2003
    just yet. Thanks for all of your replies.

    -----Original Message-----
    From: Logan F.D. Greenlee [mailto:lgreenlee@ciretose.net]
    Sent: Monday, April 21, 2003 2:25 PM
    To: Hillensbeck, Preston; focus-ms@securityfocus.com
    Subject: RE: Auditing a reboot

    Preston,

    If you use success auditing for loggons and logoffs you can infer the
    rebooting user from the the security log.

    - Logan

    -----Original Message-----
    From: Brad Judy [mailto:judy@colorado.edu]
    Sent: Monday, April 21, 2003 12:50 PM
    To: 'Hillensbeck, Preston'; focus-ms@securityfocus.com
    Subject: RE: Auditing a reboot

    I do not know of a way to do it in Windows 2000 off of the top of my
    head. However, this is logged by default in Windows 2003 Server.

    Brad Judy

    Information Technology Services
    University of Colorado at Boulder

    > -----Original Message-----
    > From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
    > Sent: Monday, April 21, 2003 8:34 AM
    > To: 'Brad Judy'; focus-ms@securityfocus.com
    > Subject: RE: Auditing a reboot
    >
    >
    > I guess I should have been more specific! What I am trying
    > to audit is an event that says who or what rebooted the
    > machine. I see the normal 6005 and 6009 event messages, but
    > I would really like to know who initiated the reboot. Is
    > this possible?
    >
    > -----Original Message-----
    > From: Brad Judy [mailto:judy@colorado.edu]
    > Sent: Monday, April 21, 2003 9:30 AM
    > To: 'Hillensbeck, Preston'; focus-ms@securityfocus.com
    > Subject: RE: Auditing a reboot
    >
    >
    > There are several items that are logged on startup, some of
    > which may also be logged at other times. Try the normal
    > first item to be logged - an event 6009 that states the basic
    > OS version information. See this KB article for more info -
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;196452
    >
    > Note that this is an event that occurs on startup regardless
    > of how the machine was shut down. Other events may be logged
    > as discussed in the article above. If you want something
    > more specific you may have to look elsewhere.
    >
    > Brad Judy
    >
    > Information Technology Services
    > University of Colorado at Boulder
    >
    > > -----Original Message-----
    > > From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
    > > Sent: Monday, April 21, 2003 7:14 AM
    > > To: 'focus-ms@securityfocus.com'
    > > Subject: Auditing a reboot
    > >
    > >
    > > How would you go about auditing when a machine is rebooted,
    > > domain wise? I have looked high and low for an answer, and I
    > > can't seem to find one. This is a Windows 2000 question, and
    > > I am running Active Directory. I have tried auditing system
    > > events, both successes and failures, but cannot get event
    > > viewer to spit out the right information. Thanks in advance.
    > >
    > >
    > >
    > > --------------------------------------------------------------
    > > ---------------
    > > Attend Black Hat Briefings & Training Europe, May 12-15 in
    > > Amsterdam, the
    > > world's premier event for IT and network security experts.
    > > The two-day
    > > Training features 6 hand-on courses on May 12-13 taught by
    > > professionals.
    > > The two-day Briefings on May 14-15 features 24 top speakers
    > > with no vendor
    > > sales pitches. Deadline for the best rates is April 25.
    > > Register today to
    > > ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    > > --------------------------------------------------------------
    > > ----------------
    > >
    >
    >
    >
    > --------------------------------------------------------------
    > ---------------
    > Attend Black Hat Briefings & Training Europe, May 12-15 in
    > Amsterdam, the
    > world's premier event for IT and network security experts.
    > The two-day
    > Training features 6 hand-on courses on May 12-13 taught by
    > professionals.
    > The two-day Briefings on May 14-15 features 24 top speakers
    > with no vendor
    > sales pitches. Deadline for the best rates is April 25.
    > Register today to
    > ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    > --------------------------------------------------------------
    > ----------------
    >

    ----------------------------------------------------------------------------
    -
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    ----------------------------------------------------------------------------

    --
    -----------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
    world's premier event for IT and network security experts.  The two-day 
    Training features 6 hand-on courses on May 12-13 taught by professionals.  
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
    sales pitches.  Deadline for the best rates is April 25.  Register today to 
    ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    ------------------------------------------------------------------------------
    

  • Next message: Damien @ HammerheadTech.net: "RE: interoperability of VPN checkpoint FW1 to ISA"

    Relevant Pages

    • RE: Auditing a reboot
      ... If you use success auditing for loggons and logoffs you can infer the rebooting user from the the security log. ... > I would really like to know who initiated the reboot. ... >> world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Focus-Microsoft)
    • Re: Multiple logoffs required
      ... Microsoft MVP [Windows] ... auditing was not configured for successful logon/logoff events, ... logged off right away after a reboot. ...
      (microsoft.public.windows.server.general)
    • Re: Printer Disapear and Strange Admin Objects
      ... however with the audit policy we have one more question. ... > This module describes how to set different settings that apply to auditing. ... > Microsoft Windows XP - Audit Policy ... >> where printers disapear from the active directory on a local site. ...
      (microsoft.public.windows.server.active_directory)
    • RE: Auditing a reboot
      ... I wonder if auditing "priviledge use" would give you what you need.. ... Subject: Auditing a reboot ... > world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Focus-Microsoft)
    • Re: Last to Modify
      ... The audit log question is moot though unless you have AD changes being logged ... Joe Richards Microsoft MVP Windows Server Directory Services ... >>To track changes within Active Directory you have to enable auditing. ... >>to track user activities and system-wide events in Active Directory. ...
      (microsoft.public.windows.server.active_directory)