RE: Auditing a reboot

From: Matthew Wagenknecht (Matthew.Wagenknecht@quantum.com)
Date: 04/22/03

  • Next message: Benjamin D. Goldman: "RE: Files in system 32 directory"
    From: Matthew Wagenknecht <Matthew.Wagenknecht@quantum.com>
    To: "'Logan F.D. Greenlee'" <lgreenlee@ciretose.net>, "Hillensbeck, Preston" <PHillensbeck@sfbcic.com>, focus-ms@securityfocus.com
    Date: Tue, 22 Apr 2003 06:47:28 -0600
    
    

    I believe that only shows interactive logons.. You can reboot a machine
    remotely without "logging in", eg: shutdown /r /t 1 \\machine

    I wonder if auditing "priviledge use" would give you what you need..

    ..:: Matt ::..
     
    Bother!, said Pooh as his network froze..
    -----------
    varified gramaticly correckt using EverRight Spellchecher v1.0

    -----Original Message-----
    From: Logan F.D. Greenlee [mailto:lgreenlee@ciretose.net]
    Sent: Monday, April 21, 2003 1:25 PM
    To: Hillensbeck, Preston; focus-ms@securityfocus.com
    Subject: RE: Auditing a reboot

    Preston,

    If you use success auditing for loggons and logoffs you can infer the
    rebooting user from the the security log.

    - Logan

    -----Original Message-----
    From: Brad Judy [mailto:judy@colorado.edu]
    Sent: Monday, April 21, 2003 12:50 PM
    To: 'Hillensbeck, Preston'; focus-ms@securityfocus.com
    Subject: RE: Auditing a reboot

    I do not know of a way to do it in Windows 2000 off of the top of my head.
    However, this is logged by default in Windows 2003 Server.

    Brad Judy

    Information Technology Services
    University of Colorado at Boulder

    > -----Original Message-----
    > From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
    > Sent: Monday, April 21, 2003 8:34 AM
    > To: 'Brad Judy'; focus-ms@securityfocus.com
    > Subject: RE: Auditing a reboot
    >
    >
    > I guess I should have been more specific! What I am trying
    > to audit is an event that says who or what rebooted the
    > machine. I see the normal 6005 and 6009 event messages, but
    > I would really like to know who initiated the reboot. Is
    > this possible?
    >
    > -----Original Message-----
    > From: Brad Judy [mailto:judy@colorado.edu]
    > Sent: Monday, April 21, 2003 9:30 AM
    > To: 'Hillensbeck, Preston'; focus-ms@securityfocus.com
    > Subject: RE: Auditing a reboot
    >
    >
    > There are several items that are logged on startup, some of
    > which may also be logged at other times. Try the normal
    > first item to be logged - an event 6009 that states the basic
    > OS version information. See this KB article for more info -
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;196452
    >
    > Note that this is an event that occurs on startup regardless
    > of how the machine was shut down. Other events may be logged
    > as discussed in the article above. If you want something
    > more specific you may have to look elsewhere.
    >
    > Brad Judy
    >
    > Information Technology Services
    > University of Colorado at Boulder
    >
    > > -----Original Message-----
    > > From: Hillensbeck, Preston [mailto:PHillensbeck@sfbcic.com]
    > > Sent: Monday, April 21, 2003 7:14 AM
    > > To: 'focus-ms@securityfocus.com'
    > > Subject: Auditing a reboot
    > >
    > >
    > > How would you go about auditing when a machine is rebooted, domain
    > > wise? I have looked high and low for an answer, and I can't seem to
    > > find one. This is a Windows 2000 question, and I am running Active
    > > Directory. I have tried auditing system events, both successes and
    > > failures, but cannot get event viewer to spit out the right
    > > information. Thanks in advance.
    > >
    > >
    > >
    > > --------------------------------------------------------------
    > > ---------------
    > > Attend Black Hat Briefings & Training Europe, May 12-15 in
    > > Amsterdam, the world's premier event for IT and network security
    > > experts.
    > > The two-day
    > > Training features 6 hand-on courses on May 12-13 taught by
    > > professionals.
    > > The two-day Briefings on May 14-15 features 24 top speakers
    > > with no vendor
    > > sales pitches. Deadline for the best rates is April 25.
    > > Register today to
    > > ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    > > --------------------------------------------------------------
    > > ----------------
    > >
    >
    >
    >
    > --------------------------------------------------------------
    > ---------------
    > Attend Black Hat Briefings & Training Europe, May 12-15 in
    > Amsterdam, the
    > world's premier event for IT and network security experts.
    > The two-day
    > Training features 6 hand-on courses on May 12-13 taught by
    > professionals.
    > The two-day Briefings on May 14-15 features 24 top speakers
    > with no vendor
    > sales pitches. Deadline for the best rates is April 25.
    > Register today to
    > ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    > --------------------------------------------------------------
    > ----------------
    >

    ----------------------------------------------------------------------------
    -
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    ----------------------------------------------------------------------------

    --
    ----------------------------------------------------------------------------
    -
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
    world's premier event for IT and network security experts.  The two-day 
    Training features 6 hand-on courses on May 12-13 taught by professionals.  
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
    sales pitches.  Deadline for the best rates is April 25.  Register today to 
    ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    ----------------------------------------------------------------------------
    --
    -----------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
    world's premier event for IT and network security experts.  The two-day 
    Training features 6 hand-on courses on May 12-13 taught by professionals.  
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
    sales pitches.  Deadline for the best rates is April 25.  Register today to 
    ensure your place. http://www.securityfocus.com/BlackHat-focus-ms
    ------------------------------------------------------------------------------
    

  • Next message: Benjamin D. Goldman: "RE: Files in system 32 directory"

    Relevant Pages

    • RE: Auditing a reboot
      ... If you use success auditing for loggons and logoffs you can infer the rebooting user from the the security log. ... > I would really like to know who initiated the reboot. ... >> world's premier event for IT and network security experts. ... Training features 6 hand-on courses on May 12-13 taught by professionals. ...
      (Focus-Microsoft)
    • RE: Auditing a reboot
      ... This is how I will have to go about it then, since I don't have Windows 2003 ... Subject: Auditing a reboot ... If you use success auditing for loggons and logoffs you can infer the ... >> world's premier event for IT and network security experts. ...
      (Focus-Microsoft)
    • [Summary] audit woes
      ... "error behind keyboard" or the ID-ten-T error. ... clip off part of the /etc/system file which broke this. ... > My auditing no longer works. ... > The ironic thing is that this started after the last reboot. ...
      (SunManagers)
    • RE: Auditing a reboot
      ... Subject: Auditing a reboot ... > Subject: Auditing a reboot ... > sales pitches. ... Deadline for the best rates is April 25. ...
      (Focus-Microsoft)