Minimizing Directory Service Audit Event Noise

I’ve written before on noise reduction in the Windows security event log.  I’ve also written to describe how object access auditing works.  But, I still get questions on how to reduce noise from object access events.  The other day I got that question, specific to Directory Service objects, on an internal discussion list so I thought I’d…


Tracking User Logon Activity Using Logon Events

I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable.  It works in trivial cases (e.g. single machine where the…


ACS Event Retention Mechanism

I get a lot of questions about how ACS event retention works.  So here you go, I’m blogging it so I can just answer with a link 🙂 There are two DWORD registry values which affect backlog transmission.  Both are on the collector machine under HKLM\System\CurrentControlSet\Services\AdtServer\Parameters. EventRetentionPeriod, if present, is expressed in hours (I forget…


ACS’ first bug from being too performant

We got several reports recently of a bug in ACS that certain DS Access events, primarily for dnsNode and dnsZone objects, don’t properly get looked up. Some background: the event log in Windows prefers to log invariants such as message IDs, parameter message IDs, SIDs (security IDs which represent users and groups, etc.), and GUIDs (globally…


If you’re gonna herd bots, do it from New Zealand!

A judge in New Zealand declined to convict the admitted (guilty plea) botherder of a million-bot botnet, citing the negative consequences a conviction would have on the young man’s future prospects.  See the story here. Well duh.  The whole theory of crime and punishment is that if you do something bad, you get punished, and…


WEvtUtil Scripting

If you haven’t used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you’re missing out.  The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn’t suffer from any of the drawbacks around getting field delimiting correct. The tool’s command to query…


Ned on Auditing

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe).  Well, Ned has a blog and I thought I’d point you guys there.  His recent…


Windows Server 2008 Security Events Posted

Fadi, Ned and Brian of the auditing team have documented all the auditing events by audit policy category and subcategory for your reference. Check it out in the Knowledge Base. Even better, they documented all the events in spreadsheet format, and that’s propagating to the Microsoft Download Center.  I’ll publish the link when it’s online….


Shameless Self-Promotion

There’s one topic that I know is on everyone’s mind- no, not American Idol- it’s “What’s new in Auditing in Windows Server 2008?” Well, funny that you brought that up.  My friend Jesper Johanssen just wrote a new book, the Windows Server 2008 Security Resource Kit, and he invited me to write a chapter about…


ACS Event Transformation Demystified

I’ve decided to start dumping my knowledge of ACS for posterity’s sake.  My first installment is here, and it’s an excerpt from an external email I put together which describes how event transformation works on ACS.   Transformation is performed on the agent (using instructions provided at connect time by the collector) and on the collector. …