Re: IM looking for software to analyze event log
From: Chandrasekharran (Chandrasekharran_at_discussions.microsoft.com)
Date: 02/01/05
- Next message: Seanius: "Re: Windows 2003 Password Encryption"
- Previous message: shar19710: "computer freezes up"
- Next in thread: Steven L Umbach: "Re: IM looking for software to analyze event log"
- Reply: Steven L Umbach: "Re: IM looking for software to analyze event log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 1 Feb 2005 05:47:01 -0800
>From where I can obtain or download the Event Comb mentioned by Steven?
"Steven L Umbach" wrote:
> Microsoft has the free Event Comb which can help in scanning multiple
> computer security logs for specific information. There are third party tools
> such as those from Languard that can help manage security logs also.
>
> http://www.gfi.com/lanselm/
>
> However you will find that you need to do some detective work yourself and
> evaluating your security practices. There is no "magic" tool that can
> analyze your security logs and tell you exactly what happened. Since you
> have been hacked twice already I would make sure that you have changed all
> administrator passwords, checked the membership of the administrator groups,
> enforce password complexity, enable an account lockout policy [ at least for
> now] that can be used as a primitive intrusion detection, check that your
> computers are current with critical updates, check your firewall
> configuration, and so on. Depending on how you have responded to these hacks
> you may still be vulnerable due to misconfiguration or an existing backdoor
> from the other attacks. Technet Security is a good place to start to learn
> how to secure your computers/network. The Microsoft Baseline Security
> Analyzer should be run on your computers to check for basic vulnerabilities.
>
> http://www.microsoft.com/technet/security/default.mspx
>
>
> Things to look for in the security logs are failed logons or logons from
> accounts at times that don't make sense - particularly administrator account
> and strange name computer accounts accessing your network. Your firewall
> logs might be helpful if you can correlate events by time of the attack and
> monitor for port/protocols that should not be making it into the network
> showing a problem with firewall configuration. I also highly recommend that
> you download and read the free from Microsoft - Antivirus in Depth guide. It
> has some excellent tips on how to try and track down exactly what happened
> using common tools to examine processes, port use, services, files created
> by date, etc.
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
> http://tinyurl.com/6xajr -- same link shorter.
>
> Account logon events are generated on the computer that authenticated a user
> for interactive logon. For a domain user that would be the domain controller
> that authenticated the user. For workstation computers it would be the
> computer itself. Logon events are recorded in the security log of a computer
> where a user has used his credentials to access the computer such as a local
> logon or network share [type 3 logon]. The link below will explain this much
> more and give you a better understanding of the auditing process. --- Steve
>
> http://www.microsoft.com/technet/security/guidance/secmod144.mspx
>
> "Nick" <andync55@hotmail.com> wrote in message
> news:%23jI9H5r3EHA.2316@TK2MSFTNGP15.phx.gbl...
> > Hi
> >
> > We have been having trouble with being hacked into twice now and im after
> > some software that can alalyze security event logs, i am auditing
> >
> > account log on event
> > logon events
> > policy change
> >
> > The logs are so longs and you have to go into each log to view who it was
> > that logged on etc, im looking for some software that can analyze it and
> > display it in an easy to view format.
> >
> >
> > also one other query i have is whats the differene between account logon
> > and logon event.
> >
> > Thanks
> >
>
>
>
- Next message: Seanius: "Re: Windows 2003 Password Encryption"
- Previous message: shar19710: "computer freezes up"
- Next in thread: Steven L Umbach: "Re: IM looking for software to analyze event log"
- Reply: Steven L Umbach: "Re: IM looking for software to analyze event log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
