Re: security log anomolies
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 02/19/05
- Next message: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Previous message: S. Pidgorny
: "Re: Win2k or Win32 IPTABLES" - In reply to: Mark Stonestreet: "Re: security log anomolies"
- Next in thread: Mark Stonestreet: "Re: security log anomolies"
- Reply: Mark Stonestreet: "Re: security log anomolies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Feb 2005 19:06:01 -0600
What you show below looks good in my opinion. It's just that auditing of
object access in particular can generate a huge amount of events especially
if you are trying to audit a lot of folders for all permissions. I see you
have both account logon and logon events enabled for success and failure. If
this is a domain controller, auditing of account logons would be most
pertinent to track domain activity. However it is not a bad idea to also
audit for logon events for at least failure on domain controllers. Effective
settings in Local Security Policy is what the actual applied policy is to a
computer. For domain computers, local and effective policy may be different
indicating that their is a domain/OU/domain controller container policy
overriding Local Security Policy. You will see that a lot on domain
controllers in particular as Domain Controller Security Policy will override
Local Security Policy for domain controllers [assuming they are in the
default domain controller container] and is where you want to configure
security policy for domain controllers. If you have too many events recorded
in the security log it makes it difficult to find anything meaningful. More
information is not always desirable. --- Steve
"Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote in
message news:9931E4F5-8B7C-4C74-9BC4-618715D32B6B@microsoft.com...
> Hi Steve
>
> I have increased log to 10MB and cleared the log. Object access was set up
> for logging success and failure, I have switched this off. Generally all
> of
> the items in the log referenced logon/logoff success mostly to annonymous
> connections. Is it best that I switch off success logging?
>
> I have the following items logging success/failure:
> account logon events
> account management
> logon events
> policy change
> system events
>
> Should I prune this down? Can you please let me know what the "Effective
> Settings" relates to. I do not know how these settings can be modified.
>
> Thanks again Steve
>
> Regards Mark
>
> "Steven L Umbach" wrote:
>
>> Geez. I would clear it again to see what happens. Hard to believe it
>> would
>> fill up that fast. You could check the size of the security .evt file to
>> see
>> how large it is. I don't know how large you made it but you may want to
>> increase it to 10MB or more and configure to overwrite events as needed.
>> However if you are auditing object access and/or process tracking for
>> success the logs can fill up very quickly. Generally you should not be
>> auditing those categories unless you have a specific reason such as
>> enabling
>> auditing of object access because you are auditing folders for access
>> which
>> would show a loy of Event ID's for 560 and 562. --- Steve
>>
>>
>> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote in
>> message news:AB433051-A44A-4799-AAA3-E2D6A5C4476C@microsoft.com...
>> > Steve
>> >
>> > Guess what? The Event log has stopped logging again!! The log spanned
>> > yesterday (16 Feb 05) 9:00 to 16:08. Any ideas?
>> >
>> > Regards Mark
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> OK. I think if you increase the size of the log and set it to override
>> >> as
>> >> needed you will probably see the problem go away. --- Steve
>> >>
>> >> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote
>> >> in
>> >> message news:06F01BBE-3416-4059-A38E-C67EABBB0FF5@microsoft.com...
>> >> > Thanks for your reply Steve. I believe that I have auditing set up
>> >> > to
>> >> > over
>> >> > write the logs after 7 days. I do not actually remember setting this
>> >> > up
>> >> > so
>> >> > it
>> >> > may be the default setting. I will have a look and try what you have
>> >> > suggested. I will have a look for those tools mentioned.
>> >> >
>> >> > cheers
>> >> >
>> >> > Regards Mark
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> As far as the security log, try clearing it and then make the log
>> >> >> quite a
>> >> >> bit larger than default - say to 5MB for your situation in the
>> >> >> properties
>> >> >> of
>> >> >> the security log. Note while in properties the different behaviors
>> >> >> for
>> >> >> how
>> >> >> the log works when it becomes full which could explain the results
>> >> >> you
>> >> >> are
>> >> >> seeing if it was indeed full. I usually set it to overwrite events
>> >> >> as
>> >> >> needed
>> >> >> after increasing the size of the log.
>> >> >>
>> >> >> Anonymous logons are normal for computers that use Windows
>> >> >> networking,
>> >> >> particularly for file and print sharing and using Network
>> >> >> Neighborhood.
>> >> >> In a
>> >> >> workgroup environment these anonymous logons can be fairly
>> >> >> numerous. I
>> >> >> would
>> >> >> be more concerned about a lot of failed logon or failed account
>> >> >> logon
>> >> >> events, particularly in rapid succession for the administrator
>> >> >> account
>> >> >> or
>> >> >> fir unexplained logons for the administrator's account. Be sure to
>> >> >> use
>> >> >> a
>> >> >> firewall if you are connected to the internet.
>> >> >>
>> >> >> You can find out more about processes by using a free tool from
>> >> >> SysInternals
>> >> >> called Process Explorer. When you see svchost or lsass check the
>> >> >> properties
>> >> >> of the process and view the services tab for associated services.
>> >> >> Tlist -s
>> >> >> for Windows 2000 or tasklist /svc for XP Pro/Windows 2003 can also
>> >> >> be
>> >> >> used
>> >> >> to enumerate services associated with a process. Tlist may not be
>> >> >> installed
>> >> >> by default in Windows 2000 and could be a support tool or Resource
>> >> >> Kit
>> >> >> tool.
>> >> >> SysInternals also has other helpful tools such as TCPView to see
>> >> >> port
>> >> >> to
>> >> >> process mapping and Autoruns to see startup applications. The link
>> >> >> below
>> >> >> should also be helpful on small office security. --- Steve
>> >> >>
>> >> >> http://www.microsoft.com/smallbusiness/gtm/securityguidance/checklist/default.mspx
>> >> >>
>> >> >> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com>
>> >> >> wrote
>> >> >> in
>> >> >> message news:AADAA024-2C53-4632-8650-BB9BC5DA6900@microsoft.com...
>> >> >> > For the last couple of days I have noticed something strange
>> >> >> > about
>> >> >> > my
>> >> >> > security log for w2k workgroup workstation. Yesterday (10 Feb)
>> >> >> > my
>> >> >> > security
>> >> >> > logs only had entries up to 7 Feb. I have since looked today and
>> >> >> > i
>> >> >> > only
>> >> >> > have
>> >> >> > entries up to 10:29 am. It is now 3:02 pm. I have connected to
>> >> >> > other
>> >> >> > pc's
>> >> >> > and there are pc's connected to this one but they do not appear
>> >> >> > logged
>> >> >> > as
>> >> >> > logon/logoff events. The other pc's have logged events to this
>> >> >> > pc.
>> >> >> > Auditing
>> >> >> > of security events is enabled. All of the pc's have up to date
>> >> >> > virus
>> >> >> > protection.
>> >> >> >
>> >> >> > I can not find any odd processes working. There are four
>> >> >> > instances
>> >> >> > of
>> >> >> > svchost.exe, 1 of lsass.exe , 1 of services.exe etc. Some
>> >> >> > virus'
>> >> >> > sometimes
>> >> >> > masquarade under these names but how anybody would know when is a
>> >> >> > mystery
>> >> >> > to
>> >> >> > me. There are lots of instances of annonymous connections in the
>> >> >> > security
>> >> >> > log. How do I go about finding out what they are all about? I
>> >> >> > have
>> >> >> > IPtools
>> >> >> > and have had it running over night logging connections but the
>> >> >> > only
>> >> >> > connection appears to be to Windows Update.
>> >> >> >
>> >> >> > Am I just being paronoid? This is not my day job. I am just the
>> >> >> > guy
>> >> >> > who
>> >> >> > has
>> >> >> > to keep the works computers running as an addition to my day job.
>> >> >> > There
>> >> >> > is
>> >> >> > no budget. Any advice would be greatly appreciated, even if it
>> >> >> > is
>> >> >> > to
>> >> >> > tell
>> >> >> > me
>> >> >> > to get an expert in. At least I can then approach my bosses on
>> >> >> > this.
>> >> >> >
>> >> >> > Cheers
>> >> >> >
>> >> >> > Mark
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
- Next message: Steven L Umbach: "Re: Exchange OWA 2003 Trusted Root Certificate"
- Previous message: S. Pidgorny
: "Re: Win2k or Win32 IPTABLES" - In reply to: Mark Stonestreet: "Re: security log anomolies"
- Next in thread: Mark Stonestreet: "Re: security log anomolies"
- Reply: Mark Stonestreet: "Re: security log anomolies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
