Re: IP Logging in the Security Event log

From: Robert Minneman (robertminneman@earthlink.net)
Date: 11/05/02

Next message: Brian Mulrooney: "Setting DIsconnect Policy"
Previous message: Karl Levinson [x y] mvp: "Re: Logon Password Problem."
In reply to: Eric Fitzgerald [MS]: "Re: IP Logging in the Security Event log"
Next in thread: Eric Fitzgerald [MS]: "Re: IP Logging in the Security Event log"
Reply: Eric Fitzgerald [MS]: "Re: IP Logging in the Security Event log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Robert Minneman" <robertminneman@earthlink.net>
Date: Mon, 4 Nov 2002 17:10:02 -0800

>The auditing system was designed ~1990-1991, and IP
addresses were not even
>on the radar screen at that time.

Ok, it was kind of obvious as this doesn't appear to have
changed since the original version of NT came out (the
fact that Win2k and OS/2 still share some of the same
registry keys is a great indicator at how long it takes
for some of this stuff to change).

>There was some customer demand for this even in the Win2k
time frame but for
>various reasons we could not and did not attempt to make
that change for
>Windows 2000.

I would have expected demand for this to be picking up
around NT 4.0's release when the internet was just picking
up and people were beginning to consider the concept
of "firewalling" their networks, although I understand
that there is a need to prioritize what gets on the
development list.

>We added IP address to logon audits in Windows .NET
Server, and we're going
>to attempt to back-port this to Service Pack 5 for
Windows 2000 (not SP4).

Not knowing what needs to take place in the Event
log/network areas to make this happen, I still can't see
it being to big a deal. Obviously somewhere in the OSI
Windows 2k knows what the IP of the incomming request is,
it's just a matter of pulling it from whatever layer that
information is being kept at and dragging it up to the
application layer to be inserted into the Event log
message.

Regardless, this is a great reason for me to get to SP5 as
soon as it's released.

Thank you very much for the information.

Robert Minneman

>Eric
>Program Manager, Windows Auditing and Intrusion Detection
>
>
>"Robert Minneman" <robertminneman@earthlink.net> wrote in
message
>news:5c7001c28426$4174ea00$36ef2ecf@tkmsftngxa12...
>> Ok someone explain to me WHY Windows 2000 does not log
the
>> IP for a fail login attempt?
>>
>> Is there any way to enable this?
>>
>> It seems extremely stupid to me to log the machine name,
>> but not the IP.
>>
>> For example:
>>
>> Event ID: 681
>>
>> The logon to account: administrator
>> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> from workstation: FAMILY-COMPUTER
>> failed. The error code was: 3221225578
>>
>> Now, I know that on my network there is no workstation
>> named "FAMILY-COMPUTER", so this is coming from the
>> outside.
>>
>> This particular machine is in my DMZ and I'm trying to
>> limit what's installed on it. So far it doesn't appear
>> that I've been hacked yet, but pretty regularly the
script
>> kiddies are making their attempts to get into it.
>>
>> I'd like to have the IP so that I can setup a little
>> program that scans the log, performs a WHOIS, then sends
>> an email to the ISP admin that the attempted hacker is
>> using to have the hacker removed from the net.
>>
>> Again, it seems pretty basic to log the IP instead of
the
>> machine name, as the machine name is going to be useless
>> information
>> 99.9999999999999999999999999999999999999999999% of the
>> time.
>>
>> It's Microsoft's penchant for making their OS "out of
the
>> box stupid" that has kept the "we hate Microsoft" crowd
so
>> full of ammo as to WHY everyone should hate Microsoft.
>>
>> Bah, I guess I'm just frustrated, I really don't want to
>> have to have yet ANOTHER log to monitor on this box.
>>
>> Robert Minneman
>> robertminneman@earthlink.net
>
>
>.
>

Next message: Brian Mulrooney: "Setting DIsconnect Policy"
Previous message: Karl Levinson [x y] mvp: "Re: Logon Password Problem."
In reply to: Eric Fitzgerald [MS]: "Re: IP Logging in the Security Event log"
Next in thread: Eric Fitzgerald [MS]: "Re: IP Logging in the Security Event log"
Reply: Eric Fitzgerald [MS]: "Re: IP Logging in the Security Event log"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Layering in Windows Forms
... Find great Windows Forms articles in Windows Forms Tips and Tricks ... Answer those GDI+ questions with the GDI+ FAQ ... objects collection in that layer. ...
(microsoft.public.dotnet.framework.drawing)
Re: Astronomy, Graphics & Video Software [WAS: VMWare / Wine]
... The windows version is a little clunky, ... let alone trying to get a layer to act as advertised. ... the gThumb image viewer that comes with Ubuntu ought to do what you ... landscape, and the well exposed foreground with the people, and take out ...
(Ubuntu)
Re: Question about Datasets and ASP.NET
... This is probably a good example of where you want to compile your business ... layer in a separate dll, and have that support both the thin and thick ... applications is the way of the past because newer controls allow you to do ... Windows project using Windows forms - not ASP.NET), ...
(microsoft.public.dotnet.languages.vb)
Re: Java is becoming the new Cobol
... Granted HTML can do ... could run Firefox on raw hardware, or perhaps just run it on a Windows ... The lowest layer is basic graphics provided by X server, ... The second layer presents widgets such as menus and picklists in the style we associate ...
(comp.lang.cobol)
Re: elements 3 versus 4
... What does PSE3 do that has your heart set on it? ... through hurdles to use them), no "Layer Styles", bugginess compared to ... and little third-party support for their native PSPImage format ... regular Windows file folders. ...
(comp.periphs.scanners)