Authentication auditing is an essential part of protecting Windows computers from intrusion. The big problem in Windows auditing is trying to understand what's going on, without drowning in a flood of irrelevant or useless information. If you let it do so, Windows 2000 will bury you in event notifications. Figuring out what's going on from those notifications can be a real chore. In this Informit.com article, Rick Cook provides specific suggestions to start making your auditing process more informative.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:On another note, the article was pretty light. I've been working with SEC to parse logs for auditing purposes and am forwarding windows events to a syslog server for parsing. I was hoping to get insight as to how to pickup real login attempts vs the regular chatter caused by things like SQL Enterprise Manager. But this was just a listing of some event ids and their meaning - not much new stuff.
Re: 'article was pretty light'; I agree.
There's always pipe and filter commands, though that assumes that a legitimate attack can be boiled down to specific triggers.
I'm partial to the tactic of 'lock down the servers, treat the lan like the internet, and consider everything not under your exclusive control to be hostile'. In short; Ignore what you can't control, and control the hell out of everything else. Reasonable people can call me crazy or misinformed. Comments appreciated.
Member since:2005-07-06
Member since:
2005-08-02
Funny - I see these all the time and we do have time sync working perfectly - the end users never see a thing - they get in just fine. I also see this regularly from my authenticating squid server (Linux). I haven't figured out the issue there (it uses ntlm authorization for executable downloads), but it works fine anyway.
On another note, the article was pretty light. I've been working with SEC to parse logs for auditing purposes and am forwarding windows events to a syslog server for parsing. I was hoping to get insight as to how to pickup real login attempts vs the regular chatter caused by things like SQL Enterprise Manager. But this was just a listing of some event ids and their meaning - not much new stuff.