Archived from groups: microsoft.public.win2000.security (
More info?)
No problem. I hope it works well now. --- Steve
"Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote in
message news:245C9923-ED67-4368-8568-588DC74E12CA@microsoft.com...
> Steve
>
> Thanks again for all your help.
>
> Regards Mark
>
> "Steven L Umbach" wrote:
>
>> What you show below looks good in my opinion. It's just that auditing of
>> object access in particular can generate a huge amount of events
>> especially
>> if you are trying to audit a lot of folders for all permissions. I see
>> you
>> have both account logon and logon events enabled for success and failure.
>> If
>> this is a domain controller, auditing of account logons would be most
>> pertinent to track domain activity. However it is not a bad idea to also
>> audit for logon events for at least failure on domain controllers.
>> Effective
>> settings in Local Security Policy is what the actual applied policy is to
>> a
>> computer. For domain computers, local and effective policy may be
>> different
>> indicating that their is a domain/OU/domain controller container policy
>> overriding Local Security Policy. You will see that a lot on domain
>> controllers in particular as Domain Controller Security Policy will
>> override
>> Local Security Policy for domain controllers [assuming they are in the
>> default domain controller container] and is where you want to configure
>> security policy for domain controllers. If you have too many events
>> recorded
>> in the security log it makes it difficult to find anything meaningful.
>> More
>> information is not always desirable. --- Steve
>>
>>
>> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote in
>> message news:9931E4F5-8B7C-4C74-9BC4-618715D32B6B@microsoft.com...
>> > Hi Steve
>> >
>> > I have increased log to 10MB and cleared the log. Object access was set
>> > up
>> > for logging success and failure, I have switched this off. Generally
>> > all
>> > of
>> > the items in the log referenced logon/logoff success mostly to
>> > annonymous
>> > connections. Is it best that I switch off success logging?
>> >
>> > I have the following items logging success/failure:
>> > account logon events
>> > account management
>> > logon events
>> > policy change
>> > system events
>> >
>> > Should I prune this down? Can you please let me know what the
>> > "Effective
>> > Settings" relates to. I do not know how these settings can be
>> > modified.
>> >
>> > Thanks again Steve
>> >
>> > Regards Mark
>> >
>> > "Steven L Umbach" wrote:
>> >
>> >> Geez. I would clear it again to see what happens. Hard to believe it
>> >> would
>> >> fill up that fast. You could check the size of the security .evt file
>> >> to
>> >> see
>> >> how large it is. I don't know how large you made it but you may want
>> >> to
>> >> increase it to 10MB or more and configure to overwrite events as
>> >> needed.
>> >> However if you are auditing object access and/or process tracking for
>> >> success the logs can fill up very quickly. Generally you should not be
>> >> auditing those categories unless you have a specific reason such as
>> >> enabling
>> >> auditing of object access because you are auditing folders for access
>> >> which
>> >> would show a loy of Event ID's for 560 and 562. --- Steve
>> >>
>> >>
>> >> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com> wrote
>> >> in
>> >> message news:AB433051-A44A-4799-AAA3-E2D6A5C4476C@microsoft.com...
>> >> > Steve
>> >> >
>> >> > Guess what? The Event log has stopped logging again!! The log
>> >> > spanned
>> >> > yesterday (16 Feb 05) 9:00 to 16:08. Any ideas?
>> >> >
>> >> > Regards Mark
>> >> >
>> >> > "Steven L Umbach" wrote:
>> >> >
>> >> >> OK. I think if you increase the size of the log and set it to
>> >> >> override
>> >> >> as
>> >> >> needed you will probably see the problem go away. --- Steve
>> >> >>
>> >> >> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com>
>> >> >> wrote
>> >> >> in
>> >> >> message news:06F01BBE-3416-4059-A38E-C67EABBB0FF5@microsoft.com...
>> >> >> > Thanks for your reply Steve. I believe that I have auditing set
>> >> >> > up
>> >> >> > to
>> >> >> > over
>> >> >> > write the logs after 7 days. I do not actually remember setting
>> >> >> > this
>> >> >> > up
>> >> >> > so
>> >> >> > it
>> >> >> > may be the default setting. I will have a look and try what you
>> >> >> > have
>> >> >> > suggested. I will have a look for those tools mentioned.
>> >> >> >
>> >> >> > cheers
>> >> >> >
>> >> >> > Regards Mark
>> >> >> >
>> >> >> > "Steven L Umbach" wrote:
>> >> >> >
>> >> >> >> As far as the security log, try clearing it and then make the
>> >> >> >> log
>> >> >> >> quite a
>> >> >> >> bit larger than default - say to 5MB for your situation in the
>> >> >> >> properties
>> >> >> >> of
>> >> >> >> the security log. Note while in properties the different
>> >> >> >> behaviors
>> >> >> >> for
>> >> >> >> how
>> >> >> >> the log works when it becomes full which could explain the
>> >> >> >> results
>> >> >> >> you
>> >> >> >> are
>> >> >> >> seeing if it was indeed full. I usually set it to overwrite
>> >> >> >> events
>> >> >> >> as
>> >> >> >> needed
>> >> >> >> after increasing the size of the log.
>> >> >> >>
>> >> >> >> Anonymous logons are normal for computers that use Windows
>> >> >> >> networking,
>> >> >> >> particularly for file and print sharing and using Network
>> >> >> >> Neighborhood.
>> >> >> >> In a
>> >> >> >> workgroup environment these anonymous logons can be fairly
>> >> >> >> numerous. I
>> >> >> >> would
>> >> >> >> be more concerned about a lot of failed logon or failed account
>> >> >> >> logon
>> >> >> >> events, particularly in rapid succession for the administrator
>> >> >> >> account
>> >> >> >> or
>> >> >> >> fir unexplained logons for the administrator's account. Be sure
>> >> >> >> to
>> >> >> >> use
>> >> >> >> a
>> >> >> >> firewall if you are connected to the internet.
>> >> >> >>
>> >> >> >> You can find out more about processes by using a free tool from
>> >> >> >> SysInternals
>> >> >> >> called Process Explorer. When you see svchost or lsass check the
>> >> >> >> properties
>> >> >> >> of the process and view the services tab for associated
>> >> >> >> services.
>> >> >> >> Tlist -s
>> >> >> >> for Windows 2000 or tasklist /svc for XP Pro/Windows 2003 can
>> >> >> >> also
>> >> >> >> be
>> >> >> >> used
>> >> >> >> to enumerate services associated with a process. Tlist may not
>> >> >> >> be
>> >> >> >> installed
>> >> >> >> by default in Windows 2000 and could be a support tool or
>> >> >> >> Resource
>> >> >> >> Kit
>> >> >> >> tool.
>> >> >> >> SysInternals also has other helpful tools such as TCPView to see
>> >> >> >> port
>> >> >> >> to
>> >> >> >> process mapping and Autoruns to see startup applications. The
>> >> >> >> link
>> >> >> >> below
>> >> >> >> should also be helpful on small office security. --- Steve
>> >> >> >>
>> >> >> >>
http://www.microsoft.com/smallbusiness/gtm/securityguidance/checklist/default.mspx
>> >> >> >>
>> >> >> >> "Mark Stonestreet" <MarkStonestreet@discussions.microsoft.com>
>> >> >> >> wrote
>> >> >> >> in
>> >> >> >> message
>> >> >> >> news:AADAA024-2C53-4632-8650-BB9BC5DA6900@microsoft.com...
>> >> >> >> > For the last couple of days I have noticed something strange
>> >> >> >> > about
>> >> >> >> > my
>> >> >> >> > security log for w2k workgroup workstation. Yesterday (10
>> >> >> >> > Feb)
>> >> >> >> > my
>> >> >> >> > security
>> >> >> >> > logs only had entries up to 7 Feb. I have since looked today
>> >> >> >> > and
>> >> >> >> > i
>> >> >> >> > only
>> >> >> >> > have
>> >> >> >> > entries up to 10:29 am. It is now 3:02 pm. I have connected
>> >> >> >> > to
>> >> >> >> > other
>> >> >> >> > pc's
>> >> >> >> > and there are pc's connected to this one but they do not
>> >> >> >> > appear
>> >> >> >> > logged
>> >> >> >> > as
>> >> >> >> > logon/logoff events. The other pc's have logged events to
>> >> >> >> > this
>> >> >> >> > pc.
>> >> >> >> > Auditing
>> >> >> >> > of security events is enabled. All of the pc's have up to date
>> >> >> >> > virus
>> >> >> >> > protection.
>> >> >> >> >
>> >> >> >> > I can not find any odd processes working. There are four
>> >> >> >> > instances
>> >> >> >> > of
>> >> >> >> > svchost.exe, 1 of lsass.exe , 1 of services.exe etc. Some
>> >> >> >> > virus'
>> >> >> >> > sometimes
>> >> >> >> > masquarade under these names but how anybody would know when
>> >> >> >> > is a
>> >> >> >> > mystery
>> >> >> >> > to
>> >> >> >> > me. There are lots of instances of annonymous connections in
>> >> >> >> > the
>> >> >> >> > security
>> >> >> >> > log. How do I go about finding out what they are all about? I
>> >> >> >> > have
>> >> >> >> > IPtools
>> >> >> >> > and have had it running over night logging connections but the
>> >> >> >> > only
>> >> >> >> > connection appears to be to Windows Update.
>> >> >> >> >
>> >> >> >> > Am I just being paronoid? This is not my day job. I am just
>> >> >> >> > the
>> >> >> >> > guy
>> >> >> >> > who
>> >> >> >> > has
>> >> >> >> > to keep the works computers running as an addition to my day
>> >> >> >> > job.
>> >> >> >> > There
>> >> >> >> > is
>> >> >> >> > no budget. Any advice would be greatly appreciated, even if
>> >> >> >> > it
>> >> >> >> > is
>> >> >> >> > to
>> >> >> >> > tell
>> >> >> >> > me
>> >> >> >> > to get an expert in. At least I can then approach my bosses
>> >> >> >> > on
>> >> >> >> > this.
>> >> >> >> >
>> >> >> >> > Cheers
>> >> >> >> >
>> >> >> >> > Mark
>> >> >> >>
>> >> >> >>
>> >> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>