Re: Security logging stopped
From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/23/02
- Next message: Karl Levinson [x y] MVP: "Re: is this a new kind of spam?"
- Previous message: Michel Gallant (MVP): "Re: Outlook/OE attachment patches: history of changes"
- In reply to: Dan Hensley: "Security logging stopped"
- Next in thread: Eric Fitzgerald [MS]: "Re: Security logging stopped"
- Reply: Eric Fitzgerald [MS]: "Re: Security logging stopped"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] MVP" <levinson_k@excite.com> Date: Wed, 23 Oct 2002 16:49:26 -0400
"Dan Hensley" <dhensley@usgs.gov> wrote in message
news:c18501c27aca$1b927240$35ef2ecf@TKMSFTNGXA11...
> NT 4.0
>
> On some of my workstations security logging has stopped
> and I cann't find where to turn it back on.
>
> Also is there a way to log who logs into the RAS?
Try using the Event Log viewer to clear the event log. If it becomes
corrupted, you won't see anything until it is cleared.
On my RAS server, I believe that all gets logged as long as auditing of
login successes and failure events was turned on in the RAS server settings.
Then, if you wish, you can use a utility such as DUMPEL from the Windows
resource kit to export just the RAS server logins to a CSV file and open it
in Excel to make a report on RAS time usage per user. There are free log
dumping tools such as the ones at www.sysinternals.com but I can't confirm
whether they will do this as well.
I guess you already know this, but just in case, here's info on how to
enable auditing on your RAS server:
==============
Note that to enable logging of access to files or registry settings, you
must both enable logging in the overall computer policy AND also add
auditing settings on individual folders or registry keys in the NTFS
security properties in Windows Explorer or the REGEDT32 registry editor.
[Using REGEDIT will not work.] To log file access, the files must be on an
NTFS-formatted partition.
Note also that to enable logging of security events on a Windows domain, you
must change the auditing policy on all domain controllers. Changing the
auditing policy on the computers in the domain enables logging of failed
logins to the computers using local accounts and would not necessarily log
attempts to log into the domain.
Consider changing the Windows event log settings to be appropriate for your
environment. Consider increasing the maximum log size to retain more
information. Be careful not to log too much, or you might find that your
logs contain only a few minutes or hours worth of data. Finally, check the
logs to be sure logs are really being captured.
For more information on enabling and configuring auditing, see the articles
below:
http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
[look for the NSA Security Recommendation Guides for Windows 2000 and
also Group Policy]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
13w2kadc.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000, file
access settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
monitoring for unauthorized user access
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
http://www.labmice.net/troubleshooting/EventLog.htm
[Thanks to Thomas Deml and others]
- Next message: Karl Levinson [x y] MVP: "Re: is this a new kind of spam?"
- Previous message: Michel Gallant (MVP): "Re: Outlook/OE attachment patches: history of changes"
- In reply to: Dan Hensley: "Security logging stopped"
- Next in thread: Eric Fitzgerald [MS]: "Re: Security logging stopped"
- Reply: Eric Fitzgerald [MS]: "Re: Security logging stopped"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
