Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
thoughts from the Windows auditing team
Quick Overview of Object Access Auditing in Windows
A lot of people are unhappy with object access auditing on Windows, because what they want to know...
Author: Eric Fitzgerald Date: 03/07/2006
Default ACLs on Windows Event Logs
A question I get asked frequently: what are the default ACLs on Windows event logs? Here's the...
Author: Eric Fitzgerald Date: 03/01/2006
Whetting your appetite for Windows Vista
Here's a cut & paste from one of my Vista machines. This is one of our new events. I'm including...
Author: Eric Fitzgerald Date: 12/20/2005
What the heck are "Primary User" and "Client User"?
Windows has a feature called "impersonation", by which a process running as one user account can...
Author: Eric Fitzgerald Date: 12/16/2005
EU Passes New Log Retention Rule for Telcos
The BBC reports that the European Parliament has approved rules, as an anti-terror measure, to...
Author: Eric Fitzgerald Date: 12/14/2005
Setting SACLs on Services
Have you ever wanted a record of admin activity regarding service management? For example, who...
Author: Eric Fitzgerald Date: 12/09/2005
Auditing Flaw in Microsoft SQL Server 2000
https://support.microsoft.com/default.aspx?scid=kb;en-us;910741
Author: Eric Fitzgerald Date: 12/05/2005
Privilege Use- what do we audit, and when?
Odd thing today- I got two questions about the obscure "FullPrivilegeAuditing" registry setting- so...
Author: Eric Fitzgerald Date: 12/05/2005
How does Windows Audit meet Common Criteria compliance standards?
Actually most of our auditing work in Windows has historically been done in order to meet ITSec C2,...
Author: Eric Fitzgerald Date: 11/30/2005
What is up with Audit Collection Services?
A lot of you have been asking me to write about Audit Collection Services (ACS, which some of you...
Author: Eric Fitzgerald Date: 11/09/2005
Managed Code Developers: You no longer have an excuse!
One of my former teammates, Mark, designed and built a set of managed classes for generating audit...
Author: Eric Fitzgerald Date: 09/30/2005
Yay! A fix for EventQuery
Those of us "in the know" :-) use eventquery.vbs to export events to a delimited file, and then use...
Author: Eric Fitzgerald Date: 09/27/2005
Preventing Log Evasion in IIS
Evidently it's possible to craft an IIS request that will cause IIS not to log request detail. Here...
Author: Eric Fitzgerald Date: 09/20/2005
Multiple Events for Successful Account Creation
Here is the pattern you should expect to see when creating a local account. For domain accounts, you...
Author: Eric Fitzgerald Date: 08/29/2005
Multiple Events for Failed Account Creation
When you create a local user account on Windows, and you have enabled account management auditing,...
Author: Eric Fitzgerald Date: 08/29/2005
Logs and the Rules of Evidence
I quite frequently hear these questions: 1. My logs/log collection database aren't digitally signed,...
Author: Eric Fitzgerald Date: 08/25/2005
Delegating Access to the Security Log
I often get the question, how do I allow a group of auditors read access to my security logs without...
Author: Eric Fitzgerald Date: 08/24/2005
COMMENT MY BLOG, PLEASE!
If you have auditing questions (as opposed to general security questions), please feel free to...
Author: Eric Fitzgerald Date: 08/24/2005
Another culprit causes too many object access events.
I encountered this in the course of investigating another report of "too many object access events"....
Author: Eric Fitzgerald Date: 08/18/2005
A Voice of Sanity from SANS
I was reading SANS NewsBites, a weekly email newsletter describing significant news around...
Author: Eric Fitzgerald Date: 08/12/2005
Why don't I see the workstation name in logon events?
Top reasons: 1. In NTLM logons, it's subject to spoofing. There exist hacking tools which improperly...
Author: Eric Fitzgerald Date: 08/09/2005
Monitoring Active Directory Schema Changes
As a follow-on to my last post, I want to relate how to monitor for Active Directory schema changes....
Author: Eric Fitzgerald Date: 08/08/2005
Monitoring Group Policy Changes with Windows Auditing
I spent some time a while back analyzing logs, figuring out what you can do with group policy...
Author: Eric Fitzgerald Date: 08/04/2005
Deciphering Account Logon Events
One of the most common questions that I get about Windows Auditing is, how come you guys were so...
Author: Eric Fitzgerald Date: 08/04/2005
Keeping the noise down in your security log
[2011-04-11] This post was updated to indicate the interaction between these recommendations and the...
Author: Eric Fitzgerald Date: 01/11/2005
Auditing Changes in Windows Server 2003 SP1
DISCLAIMER: To the best of my knowledge the information here is correct. However the lawyers make me...
Author: Eric Fitzgerald Date: 12/20/2004
Events 528 and 540
Logon events. Event 528 and Event 540 are the Logon events. Event 528 is for all logons except...
Author: Eric Fitzgerald Date: 12/09/2004