Archived from groups: microsoft.public.win2000.security (
More info?)
It is available at the link below. --- Steve
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
"Chandrasekharran" <Chandrasekharran@discussions.microsoft.com> wrote in
message news:E56D829E-7AA7-46C6-B0A8-BCF719ACD6E9@microsoft.com...
> From where I can obtain or download the Event Comb mentioned by Steven?
>
> "Steven L Umbach" wrote:
>
>> Microsoft has the free Event Comb which can help in scanning multiple
>> computer security logs for specific information. There are third party
>> tools
>> such as those from Languard that can help manage security logs also.
>>
>> http://www.gfi.com/lanselm/
>>
>> However you will find that you need to do some detective work yourself
>> and
>> evaluating your security practices. There is no "magic" tool that can
>> analyze your security logs and tell you exactly what happened. Since you
>> have been hacked twice already I would make sure that you have changed
>> all
>> administrator passwords, checked the membership of the administrator
>> groups,
>> enforce password complexity, enable an account lockout policy [ at least
>> for
>> now] that can be used as a primitive intrusion detection, check that your
>> computers are current with critical updates, check your firewall
>> configuration, and so on. Depending on how you have responded to these
>> hacks
>> you may still be vulnerable due to misconfiguration or an existing
>> backdoor
>> from the other attacks. Technet Security is a good place to start to
>> learn
>> how to secure your computers/network. The Microsoft Baseline Security
>> Analyzer should be run on your computers to check for basic
>> vulnerabilities.
>>
>>
http://www.microsoft.com/technet/security/default.mspx
>>
>>
>> Things to look for in the security logs are failed logons or logons from
>> accounts at times that don't make sense - particularly administrator
>> account
>> and strange name computer accounts accessing your network. Your firewall
>> logs might be helpful if you can correlate events by time of the attack
>> and
>> monitor for port/protocols that should not be making it into the network
>> showing a problem with firewall configuration. I also highly recommend
>> that
>> you download and read the free from Microsoft - Antivirus in Depth guide.
>> It
>> has some excellent tips on how to try and track down exactly what
>> happened
>> using common tools to examine processes, port use, services, files
>> created
>> by date, etc.
>>
>>
http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
>>
http://tinyurl.com/6xajr -- same link shorter.
>>
>> Account logon events are generated on the computer that authenticated a
>> user
>> for interactive logon. For a domain user that would be the domain
>> controller
>> that authenticated the user. For workstation computers it would be the
>> computer itself. Logon events are recorded in the security log of a
>> computer
>> where a user has used his credentials to access the computer such as a
>> local
>> logon or network share [type 3 logon]. The link below will explain this
>> much
>> more and give you a better understanding of the auditing process. ---
>> Steve
>>
>>
http://www.microsoft.com/technet/security/guidance/secmod144.mspx
>>
>> "Nick" <andync55@hotmail.com> wrote in message
>> news:%23jI9H5r3EHA.2316@TK2MSFTNGP15.phx.gbl...
>> > Hi
>> >
>> > We have been having trouble with being hacked into twice now and im
>> > after
>> > some software that can alalyze security event logs, i am auditing
>> >
>> > account log on event
>> > logon events
>> > policy change
>> >
>> > The logs are so longs and you have to go into each log to view who it
>> > was
>> > that logged on etc, im looking for some software that can analyze it
>> > and
>> > display it in an easy to view format.
>> >
>> >
>> > also one other query i have is whats the differene between account
>> > logon
>> > and logon event.
>> >
>> > Thanks
>> >
>>
>>
>>