IM looking for software to analyze event log

nick

Distinguished
Dec 31, 2007
994
0
18,980
Archived from groups: microsoft.public.win2000.security (More info?)

Hi

We have been having trouble with being hacked into twice now and im after
some software that can alalyze security event logs, i am auditing

account log on event
logon events
policy change

The logs are so longs and you have to go into each log to view who it was
that logged on etc, im looking for some software that can analyze it and
display it in an easy to view format.


also one other query i have is whats the differene between account logon and
logon event.

Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Microsoft has the free Event Comb which can help in scanning multiple
computer security logs for specific information. There are third party tools
such as those from Languard that can help manage security logs also.

http://www.gfi.com/lanselm/

However you will find that you need to do some detective work yourself and
evaluating your security practices. There is no "magic" tool that can
analyze your security logs and tell you exactly what happened. Since you
have been hacked twice already I would make sure that you have changed all
administrator passwords, checked the membership of the administrator groups,
enforce password complexity, enable an account lockout policy [ at least for
now] that can be used as a primitive intrusion detection, check that your
computers are current with critical updates, check your firewall
configuration, and so on. Depending on how you have responded to these hacks
you may still be vulnerable due to misconfiguration or an existing backdoor
from the other attacks. Technet Security is a good place to start to learn
how to secure your computers/network. The Microsoft Baseline Security
Analyzer should be run on your computers to check for basic vulnerabilities.

http://www.microsoft.com/technet/security/default.mspx


Things to look for in the security logs are failed logons or logons from
accounts at times that don't make sense - particularly administrator account
and strange name computer accounts accessing your network. Your firewall
logs might be helpful if you can correlate events by time of the attack and
monitor for port/protocols that should not be making it into the network
showing a problem with firewall configuration. I also highly recommend that
you download and read the free from Microsoft - Antivirus in Depth guide. It
has some excellent tips on how to try and track down exactly what happened
using common tools to examine processes, port use, services, files created
by date, etc.

http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
http://tinyurl.com/6xajr -- same link shorter.

Account logon events are generated on the computer that authenticated a user
for interactive logon. For a domain user that would be the domain controller
that authenticated the user. For workstation computers it would be the
computer itself. Logon events are recorded in the security log of a computer
where a user has used his credentials to access the computer such as a local
logon or network share [type 3 logon]. The link below will explain this much
more and give you a better understanding of the auditing process. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx

"Nick" <andync55@hotmail.com> wrote in message
news:%23jI9H5r3EHA.2316@TK2MSFTNGP15.phx.gbl...
> Hi
>
> We have been having trouble with being hacked into twice now and im after
> some software that can alalyze security event logs, i am auditing
>
> account log on event
> logon events
> policy change
>
> The logs are so longs and you have to go into each log to view who it was
> that logged on etc, im looking for some software that can analyze it and
> display it in an easy to view format.
>
>
> also one other query i have is whats the differene between account logon
> and logon event.
>
> Thanks
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

From where I can obtain or download the Event Comb mentioned by Steven?

"Steven L Umbach" wrote:

> Microsoft has the free Event Comb which can help in scanning multiple
> computer security logs for specific information. There are third party tools
> such as those from Languard that can help manage security logs also.
>
> http://www.gfi.com/lanselm/
>
> However you will find that you need to do some detective work yourself and
> evaluating your security practices. There is no "magic" tool that can
> analyze your security logs and tell you exactly what happened. Since you
> have been hacked twice already I would make sure that you have changed all
> administrator passwords, checked the membership of the administrator groups,
> enforce password complexity, enable an account lockout policy [ at least for
> now] that can be used as a primitive intrusion detection, check that your
> computers are current with critical updates, check your firewall
> configuration, and so on. Depending on how you have responded to these hacks
> you may still be vulnerable due to misconfiguration or an existing backdoor
> from the other attacks. Technet Security is a good place to start to learn
> how to secure your computers/network. The Microsoft Baseline Security
> Analyzer should be run on your computers to check for basic vulnerabilities.
>
> http://www.microsoft.com/technet/security/default.mspx
>
>
> Things to look for in the security logs are failed logons or logons from
> accounts at times that don't make sense - particularly administrator account
> and strange name computer accounts accessing your network. Your firewall
> logs might be helpful if you can correlate events by time of the attack and
> monitor for port/protocols that should not be making it into the network
> showing a problem with firewall configuration. I also highly recommend that
> you download and read the free from Microsoft - Antivirus in Depth guide. It
> has some excellent tips on how to try and track down exactly what happened
> using common tools to examine processes, port use, services, files created
> by date, etc.
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
> http://tinyurl.com/6xajr -- same link shorter.
>
> Account logon events are generated on the computer that authenticated a user
> for interactive logon. For a domain user that would be the domain controller
> that authenticated the user. For workstation computers it would be the
> computer itself. Logon events are recorded in the security log of a computer
> where a user has used his credentials to access the computer such as a local
> logon or network share [type 3 logon]. The link below will explain this much
> more and give you a better understanding of the auditing process. --- Steve
>
> http://www.microsoft.com/technet/security/guidance/secmod144.mspx
>
> "Nick" <andync55@hotmail.com> wrote in message
> news:%23jI9H5r3EHA.2316@TK2MSFTNGP15.phx.gbl...
> > Hi
> >
> > We have been having trouble with being hacked into twice now and im after
> > some software that can alalyze security event logs, i am auditing
> >
> > account log on event
> > logon events
> > policy change
> >
> > The logs are so longs and you have to go into each log to view who it was
> > that logged on etc, im looking for some software that can analyze it and
> > display it in an easy to view format.
> >
> >
> > also one other query i have is whats the differene between account logon
> > and logon event.
> >
> > Thanks
> >
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

It is available at the link below. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

"Chandrasekharran" <Chandrasekharran@discussions.microsoft.com> wrote in
message news:E56D829E-7AA7-46C6-B0A8-BCF719ACD6E9@microsoft.com...
> From where I can obtain or download the Event Comb mentioned by Steven?
>
> "Steven L Umbach" wrote:
>
>> Microsoft has the free Event Comb which can help in scanning multiple
>> computer security logs for specific information. There are third party
>> tools
>> such as those from Languard that can help manage security logs also.
>>
>> http://www.gfi.com/lanselm/
>>
>> However you will find that you need to do some detective work yourself
>> and
>> evaluating your security practices. There is no "magic" tool that can
>> analyze your security logs and tell you exactly what happened. Since you
>> have been hacked twice already I would make sure that you have changed
>> all
>> administrator passwords, checked the membership of the administrator
>> groups,
>> enforce password complexity, enable an account lockout policy [ at least
>> for
>> now] that can be used as a primitive intrusion detection, check that your
>> computers are current with critical updates, check your firewall
>> configuration, and so on. Depending on how you have responded to these
>> hacks
>> you may still be vulnerable due to misconfiguration or an existing
>> backdoor
>> from the other attacks. Technet Security is a good place to start to
>> learn
>> how to secure your computers/network. The Microsoft Baseline Security
>> Analyzer should be run on your computers to check for basic
>> vulnerabilities.
>>
>> http://www.microsoft.com/technet/security/default.mspx
>>
>>
>> Things to look for in the security logs are failed logons or logons from
>> accounts at times that don't make sense - particularly administrator
>> account
>> and strange name computer accounts accessing your network. Your firewall
>> logs might be helpful if you can correlate events by time of the attack
>> and
>> monitor for port/protocols that should not be making it into the network
>> showing a problem with firewall configuration. I also highly recommend
>> that
>> you download and read the free from Microsoft - Antivirus in Depth guide.
>> It
>> has some excellent tips on how to try and track down exactly what
>> happened
>> using common tools to examine processes, port use, services, files
>> created
>> by date, etc.
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
>> http://tinyurl.com/6xajr -- same link shorter.
>>
>> Account logon events are generated on the computer that authenticated a
>> user
>> for interactive logon. For a domain user that would be the domain
>> controller
>> that authenticated the user. For workstation computers it would be the
>> computer itself. Logon events are recorded in the security log of a
>> computer
>> where a user has used his credentials to access the computer such as a
>> local
>> logon or network share [type 3 logon]. The link below will explain this
>> much
>> more and give you a better understanding of the auditing process. ---
>> Steve
>>
>> http://www.microsoft.com/technet/security/guidance/secmod144.mspx
>>
>> "Nick" <andync55@hotmail.com> wrote in message
>> news:%23jI9H5r3EHA.2316@TK2MSFTNGP15.phx.gbl...
>> > Hi
>> >
>> > We have been having trouble with being hacked into twice now and im
>> > after
>> > some software that can alalyze security event logs, i am auditing
>> >
>> > account log on event
>> > logon events
>> > policy change
>> >
>> > The logs are so longs and you have to go into each log to view who it
>> > was
>> > that logged on etc, im looking for some software that can analyze it
>> > and
>> > display it in an easy to view format.
>> >
>> >
>> > also one other query i have is whats the differene between account
>> > logon
>> > and logon event.
>> >
>> > Thanks
>> >
>>
>>
>>