Re: security log anomolies
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/15/05
- Next message: Steven L Umbach: "Re: Startup Programs"
- Previous message: Julian Dragut: "VPN USERS"
- In reply to: Mark Stonestreet: "Re: security log anomolies"
- Next in thread: Mark Stonestreet: "Re: security log anomolies"
- Reply: Mark Stonestreet: "Re: security log anomolies"
- Reply: Mark Stonestreet: "Re: security log anomolies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 14 Feb 2005 22:01:52 -0600
OK. I think if you increase the size of the log and set it to override as
needed you will probably see the problem go away. --- Steve
"Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote in
message news:06F01BBE-3416-4059-A38E-C67EABBB0FF5@microsoft.com...
> Thanks for your reply Steve. I believe that I have auditing set up to
> over
> write the logs after 7 days. I do not actually remember setting this up so
> it
> may be the default setting. I will have a look and try what you have
> suggested. I will have a look for those tools mentioned.
>
> cheers
>
> Regards Mark
>
> "Steven L Umbach" wrote:
>
>> As far as the security log, try clearing it and then make the log quite a
>> bit larger than default - say to 5MB for your situation in the properties
>> of
>> the security log. Note while in properties the different behaviors for
>> how
>> the log works when it becomes full which could explain the results you
>> are
>> seeing if it was indeed full. I usually set it to overwrite events as
>> needed
>> after increasing the size of the log.
>>
>> Anonymous logons are normal for computers that use Windows networking,
>> particularly for file and print sharing and using Network Neighborhood.
>> In a
>> workgroup environment these anonymous logons can be fairly numerous. I
>> would
>> be more concerned about a lot of failed logon or failed account logon
>> events, particularly in rapid succession for the administrator account or
>> fir unexplained logons for the administrator's account. Be sure to use a
>> firewall if you are connected to the internet.
>>
>> You can find out more about processes by using a free tool from
>> SysInternals
>> called Process Explorer. When you see svchost or lsass check the
>> properties
>> of the process and view the services tab for associated services.
>> Tlist -s
>> for Windows 2000 or tasklist /svc for XP Pro/Windows 2003 can also be
>> used
>> to enumerate services associated with a process. Tlist may not be
>> installed
>> by default in Windows 2000 and could be a support tool or Resource Kit
>> tool.
>> SysInternals also has other helpful tools such as TCPView to see port to
>> process mapping and Autoruns to see startup applications. The link below
>> should also be helpful on small office security. --- Steve
>>
>> http://www.microsoft.com/smallbusiness/gtm/securityguidance/checklist/default.mspx
>>
>> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote in
>> message news:AADAA024-2C53-4632-8650-BB9BC5DA6900@microsoft.com...
>> > For the last couple of days I have noticed something strange about my
>> > security log for w2k workgroup workstation. Yesterday (10 Feb) my
>> > security
>> > logs only had entries up to 7 Feb. I have since looked today and i only
>> > have
>> > entries up to 10:29 am. It is now 3:02 pm. I have connected to other
>> > pc's
>> > and there are pc's connected to this one but they do not appear logged
>> > as
>> > logon/logoff events. The other pc's have logged events to this pc.
>> > Auditing
>> > of security events is enabled. All of the pc's have up to date virus
>> > protection.
>> >
>> > I can not find any odd processes working. There are four instances of
>> > svchost.exe, 1 of lsass.exe , 1 of services.exe etc. Some virus'
>> > sometimes
>> > masquarade under these names but how anybody would know when is a
>> > mystery
>> > to
>> > me. There are lots of instances of annonymous connections in the
>> > security
>> > log. How do I go about finding out what they are all about? I have
>> > IPtools
>> > and have had it running over night logging connections but the only
>> > connection appears to be to Windows Update.
>> >
>> > Am I just being paronoid? This is not my day job. I am just the guy
>> > who
>> > has
>> > to keep the works computers running as an addition to my day job.
>> > There
>> > is
>> > no budget. Any advice would be greatly appreciated, even if it is to
>> > tell
>> > me
>> > to get an expert in. At least I can then approach my bosses on this.
>> >
>> > Cheers
>> >
>> > Mark
>>
>>
>>
- Next message: Steven L Umbach: "Re: Startup Programs"
- Previous message: Julian Dragut: "VPN USERS"
- In reply to: Mark Stonestreet: "Re: security log anomolies"
- Next in thread: Mark Stonestreet: "Re: security log anomolies"
- Reply: Mark Stonestreet: "Re: security log anomolies"
- Reply: Mark Stonestreet: "Re: security log anomolies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
