RE: Auditing a reboot

• Previous message: Damien @ HammerheadTech.net: "RE: interoperability of VPN checkpoint FW1 to ISA"
• In reply to: Logan F.D. Greenlee: "RE: Auditing a reboot"
• Next in thread: Hillensbeck, Preston: "RE: Auditing a reboot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "dave" <dave@netmedic.net>
To: <focus-ms@securityfocus.com>
Date: Tue, 22 Apr 2003 03:07:53 -0400

Well if you do not want to infer you can:

In your Audit Policy of your Security Settings make sure you have "Audit
Privilege Use" turned on for Success and Failure.

In the Security Log you will see an Event ID #578, Privilege Use for
SeShutdownPrivilege, every time someone invokes it.

Now #578 Privilege Use is used for other Privilege Uses as well. So you
will see them listed quite often. It is easiest to look at the System Log
and see what time the "Event Service" Stopped and then look in the Security
Log for #578 for the previous 2 minutes.

It lists all the info you want:

Privileged object operation:
         Object Server: EventLog
         Object Handle: 0
         Process ID: 224
         Primary User Name: xxxxxx
         Primary Domain: xxxxxx
         Primary Logon ID: (hex number)
         Client User Name: xxxxxx
         Client Domain: xxxxxx
         Client Logon ID: (hex number)
         Privileges: SeShutdownPrivilege

Hope this helps.

_____________________
Dave Kleiman
dave@netmedic.net
www.netmedic.net

-----Original Message-----
From: Logan F.D. Greenlee [mailto:lgreenlee@ciretose.net]
Sent: Monday, April 21, 2003 15:25
To: Hillensbeck, Preston; focus-ms@securityfocus.com
Subject: RE: Auditing a reboot

Preston,

If you use success auditing for loggons and logoffs you can infer the
rebooting user from the the security log.

- Logan

> -----Original Message-----
> From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
> Sent: Monday, April 21, 2003 8:34 AM
> To: 'Brad Judy'; focus-ms@securityfocus.com
> Subject: RE: Auditing a reboot
>
>
> I guess I should have been more specific! What I am trying
> to audit is an event that says who or what rebooted the
> machine. I see the normal 6005 and 6009 event messages, but
> I would really like to know who initiated the reboot. Is
> this possible?

-----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
------------------------------------------------------------------------------

• Previous message: Damien @ HammerheadTech.net: "RE: interoperability of VPN checkpoint FW1 to ISA"
• In reply to: Logan F.D. Greenlee: "RE: Auditing a reboot"
• Next in thread: Hillensbeck, Preston: "RE: Auditing a reboot"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]