Re: security log anomolies

From: Mark Stonestreet (MarkStonestreet_at_discussions.microsoft.com)
Date: 02/14/05

  • Next message: Jose Maria Lopez Hernandez: "Re: Win2k or Win32 IPTABLES" 
    Date: Mon, 14 Feb 2005 01:17:06 -0800

    Thanks for your reply Steve. I believe that I have auditing set up to over
    write the logs after 7 days. I do not actually remember setting this up so it
    may be the default setting. I will have a look and try what you have
    suggested. I will have a look for those tools mentioned.

    cheers

    Regards Mark

    "Steven L Umbach" wrote:

    > As far as the security log, try clearing it and then make the log quite a
    > bit larger than default - say to 5MB for your situation in the properties of
    > the security log. Note while in properties the different behaviors for how
    > the log works when it becomes full which could explain the results you are
    > seeing if it was indeed full. I usually set it to overwrite events as needed
    > after increasing the size of the log.
    >
    > Anonymous logons are normal for computers that use Windows networking,
    > particularly for file and print sharing and using Network Neighborhood. In a
    > workgroup environment these anonymous logons can be fairly numerous. I would
    > be more concerned about a lot of failed logon or failed account logon
    > events, particularly in rapid succession for the administrator account or
    > fir unexplained logons for the administrator's account. Be sure to use a
    > firewall if you are connected to the internet.
    >
    > You can find out more about processes by using a free tool from SysInternals
    > called Process Explorer. When you see svchost or lsass check the properties
    > of the process and view the services tab for associated services. Tlist -s
    > for Windows 2000 or tasklist /svc for XP Pro/Windows 2003 can also be used
    > to enumerate services associated with a process. Tlist may not be installed
    > by default in Windows 2000 and could be a support tool or Resource Kit tool.
    > SysInternals also has other helpful tools such as TCPView to see port to
    > process mapping and Autoruns to see startup applications. The link below
    > should also be helpful on small office security. --- Steve
    >
    > http://www.microsoft.com/smallbusiness/gtm/securityguidance/checklist/default.mspx
    >
    > "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote in
    > message news:AADAA024-2C53-4632-8650-BB9BC5DA6900@microsoft.com...
    > > For the last couple of days I have noticed something strange about my
    > > security log for w2k workgroup workstation. Yesterday (10 Feb) my
    > > security
    > > logs only had entries up to 7 Feb. I have since looked today and i only
    > > have
    > > entries up to 10:29 am. It is now 3:02 pm. I have connected to other pc's
    > > and there are pc's connected to this one but they do not appear logged as
    > > logon/logoff events. The other pc's have logged events to this pc.
    > > Auditing
    > > of security events is enabled. All of the pc's have up to date virus
    > > protection.
    > >
    > > I can not find any odd processes working. There are four instances of
    > > svchost.exe, 1 of lsass.exe , 1 of services.exe etc. Some virus'
    > > sometimes
    > > masquarade under these names but how anybody would know when is a mystery
    > > to
    > > me. There are lots of instances of annonymous connections in the security
    > > log. How do I go about finding out what they are all about? I have
    > > IPtools
    > > and have had it running over night logging connections but the only
    > > connection appears to be to Windows Update.
    > >
    > > Am I just being paronoid? This is not my day job. I am just the guy who
    > > has
    > > to keep the works computers running as an addition to my day job. There
    > > is
    > > no budget. Any advice would be greatly appreciated, even if it is to tell
    > > me
    > > to get an expert in. At least I can then approach my bosses on this.
    > >
    > > Cheers
    > >
    > > Mark
    >
    >
    >

  • Next message: Jose Maria Lopez Hernandez: "Re: Win2k or Win32 IPTABLES"

    Relevant Pages

    • Re: security log anomolies
      ... As far as the security log, try clearing it and then make the log quite a ... Anonymous logons are normal for computers that use Windows networking, ... There are lots of instances of annonymous connections in the security ...
      (microsoft.public.win2000.security)
    • Re: What is the Pattern here ?
      ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ...
      (comp.security.firewalls)
    • [NT] eServ Memory Leak Enables Denial of Service Attacks
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the server allocates a block of memory on the heap ... to leak. ... An attacker who can repeatedly establish connections with the eServ daemon ...
      (Securiteam)
    • Re: outbound filtering
      ... If he really knew a lot about security he would be willing ... Well, that will tell you where your remote endpoint connections are and what programs are making the connection, but not much more than that. ... For a real time display of remote connections I'd recommend Kerio Personal Firewall, or if the OP doesn't want a firewall, than sysinternals.com TCPMon. ... inter-process communication, some feature that you wouldn't like to miss ...
      (comp.security.firewalls)
    • Re: Remote access and security
      ... level of security from external intrusion. ... RDC or RWW connections where the hard ... the remote users have access to Win XP Pro machines on the LAN, ...
      (microsoft.public.windows.server.sbs)