Whetting your appetite for Windows Vista

Here’s a cut & paste from one of my Vista machines.  This is one of our new events.  I’m including the human-formatted view which you’ll see in Event Viewer, and the XML view that apps will see (you can see this in the Viewer, too, if you’re into that). Look closely- I’ll bet you’ll be…

0

What the heck are "Primary User" and "Client User"?

Windows has a feature called “impersonation”, by which a process running as one user account can assume, on a single thread, the identity of another logged-on user account, for purposes of performing some action on behalf of the second account.  This makes sure that we get access control right.   For instance, the Server service,…

1

EU Passes New Log Retention Rule for Telcos

The BBC reports that the European Parliament has approved rules, as an anti-terror measure, to require telephone companies to retain call and internet records for two years. I do not know if Windows-powered telephony switches exist, but even if they do they probably don’t log the desired information to the Windows audit log. Here’s what…

0

Setting SACLs on Services

Have you ever wanted a record of admin activity regarding service management?  For example, who stopped one of your services? Did you know that you can do this through auditing? It’s actually really easy.  The “Security Templates” MMC snap-in allows you to author security templates which will set security descriptors (permissions and auditing) on service…

0

Privilege Use- what do we audit, and when?

Odd thing today- I got two questions about the obscure “FullPrivilegeAuditing” registry setting- so I thought I’d post my answer.  Some of this is not new, I posted on the Windows Server 2003 SP1 changes to auditing a while back. Events ID 577 and 578 are governed by the Privilege Use audit category.  All privileges…

0

How does Windows Audit meet Common Criteria compliance standards?

Actually most of our auditing work in Windows has historically been done in order to meet ITSec C2, and later Common Criteria EAL4 requirements. I just stumbled on this document, which describes the requirements and what we audit to meet the requirements. Of course, starting in Windows Server 2003, I added the additional goal to…

1

What is up with Audit Collection Services?

A lot of you have been asking me to write about Audit Collection Services (ACS, which some of you might know as MACS). For those of you unfamiliar with ACS, it’s a client-server application to collect, normalize and store large volumes of security event log data from large numbers of machines, and to make the…

1

Managed Code Developers: You no longer have an excuse!

One of my former teammates, Mark, designed and built a set of managed classes for generating audit from .NET applications (for example, consider a web service).  His work is published in the latest issue of MSDN magazine. A lot of people aren’t aware of this, but in Windows Server 2003 we added an API set…

0

Yay! A fix for EventQuery

Those of us “in the know” 🙂 use eventquery.vbs to export events to a delimited file, and then use Excel to analyze the log- autofiltering rocks.  Unfortunately if you have a large log, this doesn’t work! Well, I finally used MSN Search to see if there was a KB article on this, and I found…

0