Re: Security Event Messages

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/03/04

  • Next message: Steven L Umbach: "Re: What could be on 25 and 110?" 
    Date: Wed, 03 Nov 2004 22:58:06 GMT

    I don't know of one good reference but the one below is a good start.

    http://www.microsoft.com/technet/security/guidance/secmod144.mspx

    Event ID 618 "Encrypted Data Recovery policy changed, means that someone
    changed the Group Policy settings for EFS Recovery Agent in a Group Policy
    that affects that computer. Gpresult can be helpful in determining what
    Group Policies apply to a computer.

    Event ID 612 "An audit policy was changed" means what it says in that the
    audit policy was changed. Since system made the changes both events were
    probably generated by Group Policy applied to the computer at the domain or
    Organizational Unit level. Event Viewer will show an event when security
    policy was last applied. --- Steve

    "Rob" <Rob@discussions.microsoft.com> wrote in message
    news:75656934-AF71-4626-A16C-F7A15206C6DE@microsoft.com...
    > Hello,
    >
    > Does anyone know of a good reference (web or book) that gives the
    > meaning/definition of security event messages? I referenced Microsoft's
    > web
    > site but does not provide what I need.
    >
    > Example:
    > Event ID 618 "Encrypted Data Recovery policy changed." What does this
    > mean?
    > How was this generated?
    >
    > Event ID 612 "An audit policy was changed." I see quite a bit of these
    > entries but no changes were made in the policy; this was generated by
    > system
    > account. I need a reference that explains why this happens and what it
    > does?
    >
    > Any thoughts on a good reference for what I am looking for?
    >
    > Thanks

  • Next message: Steven L Umbach: "Re: What could be on 25 and 110?"

    Relevant Pages