Auditing Changes in Windows Server 2003 SP1

DISCLAIMER: To the best of my knowledge the information here is correct.  However the lawyers make me say, that this information is provided “AS-IS” with no warranty, and confers no rights.  In other words, if this stuff isn’t in SP1, you can’t sue us, because this isn’t a promise, ok?   —–   We introduced…


Events 528 and 540

Logon events. Event 528 and Event 540 are the Logon events.  Event 528 is for all logons except “network” logons.  “Network” logons are SMB/Microsoft-DS logons (i.e. connecting to a share).  RDP, IIS, FTP logons, etc., are event 528 even though credentials may have come from over the network.  All event 540’s are logon type 3….


Kickoff post: Windows auditing

This blog is dedicated to those folks who’ve Google’d for Windows security event information and found newsgroup posts that I’ve made in the past.  I feel your pain. “Windows Auditing” is what we call the security logging feature of the Windows OS.  In information security jargon, “audit” is an overloaded term.  It is most commonly…