Farewell for now…

I have resigned from Microsoft and am moving to another company.  I hope my blog has been helpful to you all! Feel free to contact me at my hotmail address (eric_fitzgerald).  I’ll be up and blogging somewhere else soon. Best regards, Eric

0

Off Topic: Unicode Right-to-Left Override character used by malware

Here’s an interesting thing for you security types to be aware of.  Many of you probably are careful to screen attachment types to make sure that you don’t unintentionally execute code that might be malicious. Malware authors have discovered that by embedding a unicode control character in file names, they can cause the file name…

1

An interesting logging regulation that doesn’t apply to Windows event logs…

I was browsing around looking for logging regulations and stumbled across this.  It’s the United State’s federal regulation on EDRs – Event Data Recorders – installed in automobiles. EDRs are little log engines, like the “black box” flight data recorders on commercial airliners.  They are typically part of the airbag system on an automobile. They…

3

Decoding UAC Flags Values in events 4720, 4738, 4741, and 4742

In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events that contain a user account control (UAC) flags value: 4720 – user account creation 4738 – user account change 4741 – computer account creation 4742 – computer account change This value is a bitmask value, and it’s represented…

0

Auditing Changes to Audit Policy

Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into exactly what our behavior is for auditing audit policy and I wanted to share that with you. In Windows, we’ve always had auditing for changes to security policy.  Audit policy has always been one aspect of that policy. However, it’s not…

10

XPath to generate a list of NTLM authentications on Windows Vista or Later

Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry about that.  I am working on a different project now but I am still in close touch with the auditing team and I’ll try to do better. Anyway a question that I hear regularly is, “how…

0

Auditing system impact on performance

UPDATE 2010-06-06 (EricF) – Fixed Vista+ architecture image; link was broken on migration to new blog platform I get questions from time to time, such as my recent offline question from Steve, about what performance impact auditing has on the system as a whole. To answer this you need to understand a couple of things:…

0

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

I’ve written twice (here and here) about the relationship between the “old” event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the “new” security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03. The exceptions are the logon events.  The logon…

1

Minimizing Directory Service Audit Event Noise

I’ve written before on noise reduction in the Windows security event log.  I’ve also written to describe how object access auditing works.  But, I still get questions on how to reduce noise from object access events.  The other day I got that question, specific to Directory Service objects, on an internal discussion list so I thought I’d…

0

Tracking User Logon Activity Using Logon Events

I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable.  It works in trivial cases (e.g. single machine where the…

5