Re: security log anomolies
From: Mark Stonestreet (MarkStonestreet_at_discussions.microsoft.com)
Date: 02/21/05
- Next message: luo wujun: "RE: Disabling TCP/IP Services on Windows 2000/ NT Servers"
- Previous message: Miha Pihler [MVP]: "Re: question about private certificate stored on smart card"
- In reply to: Steven L Umbach: "Re: security log anomolies"
- Next in thread: Steven L Umbach: "Re: security log anomolies"
- Reply: Steven L Umbach: "Re: security log anomolies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 21 Feb 2005 01:33:02 -0800
Steve
Thanks again for all your help.
Regards Mark
"Steven L Umbach" wrote:
> What you show below looks good in my opinion. It's just that auditing of
> object access in particular can generate a huge amount of events especially
> if you are trying to audit a lot of folders for all permissions. I see you
> have both account logon and logon events enabled for success and failure. If
> this is a domain controller, auditing of account logons would be most
> pertinent to track domain activity. However it is not a bad idea to also
> audit for logon events for at least failure on domain controllers. Effective
> settings in Local Security Policy is what the actual applied policy is to a
> computer. For domain computers, local and effective policy may be different
> indicating that their is a domain/OU/domain controller container policy
> overriding Local Security Policy. You will see that a lot on domain
> controllers in particular as Domain Controller Security Policy will override
> Local Security Policy for domain controllers [assuming they are in the
> default domain controller container] and is where you want to configure
> security policy for domain controllers. If you have too many events recorded
> in the security log it makes it difficult to find anything meaningful. More
> information is not always desirable. --- Steve
>
>
> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote in
> message news:9931E4F5-8B7C-4C74-9BC4-618715D32B6B@microsoft.com...
> > Hi Steve
> >
> > I have increased log to 10MB and cleared the log. Object access was set up
> > for logging success and failure, I have switched this off. Generally all
> > of
> > the items in the log referenced logon/logoff success mostly to annonymous
> > connections. Is it best that I switch off success logging?
> >
> > I have the following items logging success/failure:
> > account logon events
> > account management
> > logon events
> > policy change
> > system events
> >
> > Should I prune this down? Can you please let me know what the "Effective
> > Settings" relates to. I do not know how these settings can be modified.
> >
> > Thanks again Steve
> >
> > Regards Mark
> >
> > "Steven L Umbach" wrote:
> >
> >> Geez. I would clear it again to see what happens. Hard to believe it
> >> would
> >> fill up that fast. You could check the size of the security .evt file to
> >> see
> >> how large it is. I don't know how large you made it but you may want to
> >> increase it to 10MB or more and configure to overwrite events as needed.
> >> However if you are auditing object access and/or process tracking for
> >> success the logs can fill up very quickly. Generally you should not be
> >> auditing those categories unless you have a specific reason such as
> >> enabling
> >> auditing of object access because you are auditing folders for access
> >> which
> >> would show a loy of Event ID's for 560 and 562. --- Steve
> >>
> >>
> >> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote in
> >> message news:AB433051-A44A-4799-AAA3-E2D6A5C4476C@microsoft.com...
> >> > Steve
> >> >
> >> > Guess what? The Event log has stopped logging again!! The log spanned
> >> > yesterday (16 Feb 05) 9:00 to 16:08. Any ideas?
> >> >
> >> > Regards Mark
> >> >
> >> > "Steven L Umbach" wrote:
> >> >
> >> >> OK. I think if you increase the size of the log and set it to override
> >> >> as
> >> >> needed you will probably see the problem go away. --- Steve
> >> >>
> >> >> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote
> >> >> in
> >> >> message news:06F01BBE-3416-4059-A38E-C67EABBB0FF5@microsoft.com...
> >> >> > Thanks for your reply Steve. I believe that I have auditing set up
> >> >> > to
> >> >> > over
> >> >> > write the logs after 7 days. I do not actually remember setting this
> >> >> > up
> >> >> > so
> >> >> > it
> >> >> > may be the default setting. I will have a look and try what you have
> >> >> > suggested. I will have a look for those tools mentioned.
> >> >> >
> >> >> > cheers
> >> >> >
> >> >> > Regards Mark
> >> >> >
> >> >> > "Steven L Umbach" wrote:
> >> >> >
> >> >> >> As far as the security log, try clearing it and then make the log
> >> >> >> quite a
> >> >> >> bit larger than default - say to 5MB for your situation in the
> >> >> >> properties
> >> >> >> of
> >> >> >> the security log. Note while in properties the different behaviors
> >> >> >> for
> >> >> >> how
> >> >> >> the log works when it becomes full which could explain the results
> >> >> >> you
> >> >> >> are
> >> >> >> seeing if it was indeed full. I usually set it to overwrite events
> >> >> >> as
> >> >> >> needed
> >> >> >> after increasing the size of the log.
> >> >> >>
> >> >> >> Anonymous logons are normal for computers that use Windows
> >> >> >> networking,
> >> >> >> particularly for file and print sharing and using Network
> >> >> >> Neighborhood.
> >> >> >> In a
> >> >> >> workgroup environment these anonymous logons can be fairly
> >> >> >> numerous. I
> >> >> >> would
> >> >> >> be more concerned about a lot of failed logon or failed account
> >> >> >> logon
> >> >> >> events, particularly in rapid succession for the administrator
> >> >> >> account
> >> >> >> or
> >> >> >> fir unexplained logons for the administrator's account. Be sure to
> >> >> >> use
> >> >> >> a
> >> >> >> firewall if you are connected to the internet.
> >> >> >>
> >> >> >> You can find out more about processes by using a free tool from
> >> >> >> SysInternals
> >> >> >> called Process Explorer. When you see svchost or lsass check the
> >> >> >> properties
> >> >> >> of the process and view the services tab for associated services.
> >> >> >> Tlist -s
> >> >> >> for Windows 2000 or tasklist /svc for XP Pro/Windows 2003 can also
> >> >> >> be
> >> >> >> used
> >> >> >> to enumerate services associated with a process. Tlist may not be
> >> >> >> installed
> >> >> >> by default in Windows 2000 and could be a support tool or Resource
> >> >> >> Kit
> >> >> >> tool.
> >> >> >> SysInternals also has other helpful tools such as TCPView to see
> >> >> >> port
> >> >> >> to
> >> >> >> process mapping and Autoruns to see startup applications. The link
> >> >> >> below
> >> >> >> should also be helpful on small office security. --- Steve
> >> >> >>
> >> >> >> http://www.microsoft.com/smallbusiness/gtm/securityguidance/checklist/default.mspx
> >> >> >>
> >> >> >> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com>
> >> >> >> wrote
> >> >> >> in
> >> >> >> message news:AADAA024-2C53-4632-8650-BB9BC5DA6900@microsoft.com...
> >> >> >> > For the last couple of days I have noticed something strange
> >> >> >> > about
> >> >> >> > my
> >> >> >> > security log for w2k workgroup workstation. Yesterday (10 Feb)
> >> >> >> > my
> >> >> >> > security
> >> >> >> > logs only had entries up to 7 Feb. I have since looked today and
> >> >> >> > i
> >> >> >> > only
> >> >> >> > have
> >> >> >> > entries up to 10:29 am. It is now 3:02 pm. I have connected to
> >> >> >> > other
> >> >> >> > pc's
> >> >> >> > and there are pc's connected to this one but they do not appear
> >> >> >> > logged
> >> >> >> > as
> >> >> >> > logon/logoff events. The other pc's have logged events to this
> >> >> >> > pc.
> >> >> >> > Auditing
> >> >> >> > of security events is enabled. All of the pc's have up to date
> >> >> >> > virus
> >> >> >> > protection.
> >> >> >> >
> >> >> >> > I can not find any odd processes working. There are four
> >> >> >> > instances
> >> >> >> > of
> >> >> >> > svchost.exe, 1 of lsass.exe , 1 of services.exe etc. Some
> >> >> >> > virus'
> >> >> >> > sometimes
> >> >> >> > masquarade under these names but how anybody would know when is a
> >> >> >> > mystery
> >> >> >> > to
> >> >> >> > me. There are lots of instances of annonymous connections in the
> >> >> >> > security
> >> >> >> > log. How do I go about finding out what they are all about? I
> >> >> >> > have
> >> >> >> > IPtools
> >> >> >> > and have had it running over night logging connections but the
> >> >> >> > only
> >> >> >> > connection appears to be to Windows Update.
> >> >> >> >
> >> >> >> > Am I just being paronoid? This is not my day job. I am just the
> >> >> >> > guy
> >> >> >> > who
> >> >> >> > has
> >> >> >> > to keep the works computers running as an addition to my day job.
> >> >> >> > There
> >> >> >> > is
> >> >> >> > no budget. Any advice would be greatly appreciated, even if it
> >> >> >> > is
> >> >> >> > to
> >> >> >> > tell
> >> >> >> > me
> >> >> >> > to get an expert in. At least I can then approach my bosses on
> >> >> >> > this.
> >> >> >> >
> >> >> >> > Cheers
> >> >> >> >
> >> >> >> > Mark
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
- Next message: luo wujun: "RE: Disabling TCP/IP Services on Windows 2000/ NT Servers"
- Previous message: Miha Pihler [MVP]: "Re: question about private certificate stored on smart card"
- In reply to: Steven L Umbach: "Re: security log anomolies"
- Next in thread: Steven L Umbach: "Re: security log anomolies"
- Reply: Steven L Umbach: "Re: security log anomolies"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
