Auditing Changes to Audit Policy

Mitsuru, one of our support engineers in Japan, actually did some excellent research recently into exactly what our behavior is for auditing audit policy and I wanted to share that with you. In Windows, we’ve always had auditing for changes to security policy.  Audit policy has always been one aspect of that policy. However, it’s not…

10

XPath to generate a list of NTLM authentications on Windows Vista or Later

Hi Everyone, Sas sent me an email complaining that I am not posting as often as I should- sorry about that.  I am working on a different project now but I am still in close touch with the auditing team and I’ll try to do better. Anyway a question that I hear regularly is, “how…

0

Auditing system impact on performance

UPDATE 2010-06-06 (EricF) – Fixed Vista+ architecture image; link was broken on migration to new blog platform I get questions from time to time, such as my recent offline question from Steve, about what performance impact auditing has on the system as a whole. To answer this you need to understand a couple of things:…

0

Mapping pre-Vista Security Event IDs to Security Event IDs in Vista+

I’ve written twice (here and here) about the relationship between the “old” event IDs (5xx-6xx) in WS03 and earlier versions of Windows, and between the “new” security event IDs (4xxx-5xxx) in Vista and beyond. In short, EventID(WS03) + 4096 = EventID(WS08) for almost all security events in WS03. The exceptions are the logon events.  The logon…

1

Minimizing Directory Service Audit Event Noise

I’ve written before on noise reduction in the Windows security event log.  I’ve also written to describe how object access auditing works.  But, I still get questions on how to reduce noise from object access events.  The other day I got that question, specific to Directory Service objects, on an internal discussion list so I thought I’d…

0

Tracking User Logon Activity Using Logon Events

I get the question fairly often, how to use the logon events in the audit log to track how long a user was using their computer and when they logged off. As I have written about previously, this method of user activity tracking is unreliable.  It works in trivial cases (e.g. single machine where the…

5

Ned on Auditing

I often talk about Ned, who is the current subject matter expert in Microsoft product support for the auditing feature in the US (Fadi is your guy in the Middle East and we have a couple of guys in Europe).  Well, Ned has a blog and I thought I’d point you guys there.  His recent…

1

You learn something new every day- Logon Type 0

Today I encountered something new in the logon event- I thought that was old hat and I knew all there was to know about that but I guess I was wrong. The logon event (528/540 prior to Windows Vista, 4624 in Vista and Windows Server 2008) has a field called a Logon Type.  This is…

0

Why does Windows XP generate so many logon failure events?

I got the question last week, why there are so many logon failure events on Windows XP when it is not domain joined. The short answer is, by design.  (Yes, bad design.) The longer answer is that the shell team is working around the fact that there is no “tell me if this user account…

2

List of Windows Server 2003 Events

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published “Security Event Descriptions”.  This article was the “schema” so to speak, for the Windows NT 4.0 security event log events. Technically Windows events are not schematized until Windows Vista; or put another way the schema is implicit based…

3