Decoding UAC Flags Values in events 4720, 4738, 4741, and 4742

In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, there are four events that contain a user account control (UAC) flags value: 4720 – user account creation 4738 – user account change 4741 – computer account creation 4742 – computer account change This value is a bitmask value, and it’s represented…

0

Auditing Changes to Audit Policy

Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into exactly what our behavior is for auditing audit policy and I wanted to share that with you. In Windows, we’ve always had auditing for changes to security policy.  Audit policy has always been one aspect of that policy. However, it’s not…

10

Minimizing Directory Service Audit Event Noise

I’ve written before on noise reduction in the Windows security event log.  I’ve also written to describe how object access auditing works.  But, I still get questions on how to reduce noise from object access events.  The other day I got that question, specific to Directory Service objects, on an internal discussion list so I thought I’d…

0

Tracking User Logon Activity Using Logon Events

I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable.  It works in trivial cases (e.g. single machine where the…

5

WEvtUtil Scripting

If you haven’t used wevtutil.exe to script event log tasks in Windows Vista or Windows Server 2008, you’re missing out.  The new tool makes getting events out of the log pretty easy, but the main thing is that it doesn’t suffer from any of the drawbacks around getting field delimiting correct. The tool’s command to query…

4

Ned on Auditing

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe).  Well, Ned has a blog and I thought I’d point you guys there.  His recent…

1

ACS Event Transformation Demystified

I’ve decided to start dumping my knowledge of ACS for posterity’s sake.  My first installment is here, and it’s an excerpt from an external email I put together which describes how event transformation works on ACS.   Transformation is performed on the agent (using instructions provided at connect time by the collector) and on the collector. …

0

Documentation on the Windows Vista and Windows Server 2008 Security Events

I’m hearing lots of complaints that we don’t have KB articles on these yet.  Doriansoft has a blog post complaining that the “add 4096” rule doesn’t work because we collapsed the logon events into a single success event and failure event (from 2 success events [528, 540] and 10 failure events [529-537, 539]). Well, In Vista…

4

The Trouble With Logoff Events

A lot of you guys probably are using your SEM/SEIM systems to record logon and logoff activity without much of a second thought. I just thought I’d bring one problem to your attention. Logoff events are not strictly reliable. From an engineering sense they are deterministic.  However like many audit events, if you don’t really…

2

Auditing the Creation of Domain Controllers

Special thanks to Raman in the Active Directory team for this one. Ever want to audit the creation of new domain controllers in your environment?  Yeah, me neither 🙂  However if you ever want to, here’s how. 1. The default SACL on Active Directory should suffice.  However, if you have changed the default SACL, here…

0