Re: Interpreting Security Audit Events
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 01/10/03
- Next message: Karl Levinson [x y] mvp: "Re: Interpreting Security Audit Events"
- Previous message: MYMOBILE: "Temp Internet Files"
- In reply to: sjohnson: "Re: Interpreting Security Audit Events"
- Next in thread: sjohnson: "Re: Interpreting Security Audit Events"
- Reply: sjohnson: "Re: Interpreting Security Audit Events"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Thu, 9 Jan 2003 21:06:36 -0500
There is no native way to log IP addresses yet. You would need a firewall
and to manually try to correlate your security log with your firewall log
based on event timestamp, so be sure time is synchronised [or use a firewall
software on your domain controller... I would probably be sure
If people are logging onto your system from the internet, you need a
firewall to block this. Period. You should really also block outbound
communications that are unnecessary as well. Netbios uses TCP and UDP ports
135 through 139 and 445, but there are lots of other ports you want to block
in both directions. Everything should be blocked inbound except for replies
and if you have servers such as web or mail servers that need to be visible
from the internet. There are free firewalls, so there's no excuse.
For more information:
http://securityadmin.info/faq.htm#4.32
http://securityadmin.info/faq.htm#firewall
http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#auditing
"sjohnson" <sjohnson@XsageYhospitalityZ.com> wrote in message
news:2fdd01c2b83f$c2cb50b0$89f82ecf@TK2MSFTNGXA01...
> Is there any easy way to identify source based on these
> events?
>
> Also - is there a place that I can reference different
> logon processes and/or authentication packages?
>
> Thanks for your response, Eric.
>
> -Shannon
>
> >-----Original Message-----
> >Hi,
> >
> >No, the logon process identifies which system component
> was used to process
> >the logon, and the auth package indicates, to a large
> degree, which protocol
> >was used. Logon Type indicates the source of the logon
> (2=interactive,
> >3=network, 5=service, 7=unlock workstation). None of
> these uniquely
> >identifies the source of the remote logon.
> >
> >Eric
> >
> >--
> >Eric Fitzgerald
> >Program Manager, Windows Auditing and Intrusion Detection
> >Microsoft Corporation
> >
> >This posting is provided "AS IS" with no warranties, and
> confers no rights.
> >
> >"sjohnson" <sjohnson@XsageYhospitalityZ.com> wrote in
> message
> >news:2d3001c2b816$93c70440$8df82ecf@TK2MSFTNGXA02...
> >> Hello All-
> >>
> >> I have recently enabled security auditing for our NT4
> >> domain and am seeing events that concern me, but I'm
> >> having difficulty interpreting them or finding useful
> >> information.
> >>
> >> Can someone help me understand? For instance, in this
> >> text from an Event ID 529:
> >> ---
> >> logon failure:
> >>
> >> reason: unknown user name or bad password
> >>
> >> user name: administrator
> >>
> >> domain: raiden
> >>
> >> logon type: 3
> >>
> >> logon process: ntlmssp
> >>
> >> authentication package:
> >> microsoft_authentication_package_v1_0
> >>
> >> workstation name: raiden
> >> ---
> >>
> >> Would it be possible to use the "Authentication
> >> Package", "Logon Process", and/or "Logon Type" as
> >> identifying information? I've noticied that these items
> >> change between different events - maybe I can use them
> to
> >> help me find out more about these events.
> >>
> >> Thanks in advance,
> >> Shannon
> >
> >
> >.
> >
- Next message: Karl Levinson [x y] mvp: "Re: Interpreting Security Audit Events"
- Previous message: MYMOBILE: "Temp Internet Files"
- In reply to: sjohnson: "Re: Interpreting Security Audit Events"
- Next in thread: sjohnson: "Re: Interpreting Security Audit Events"
- Reply: sjohnson: "Re: Interpreting Security Audit Events"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
