Audit Account Logon vs Audit Logon/Logoff
Over the past several years I’ve been explaining the diffence between these two audit polices. One is for logon/logoff events the other (Account Logon) is for authentication events. In the past few months I have had several people ask me to put together a blog entry covering these 2 audit polices. But I’ve found it rather painfull to put into a blog. Then a few weeks ago I found out that my employeer (Prism Microsystems) was hosting a webinar with Randy F. Smith and I was going to also be presenting. Well the webinar went smoothly today and so I have decided that instead of me doing a long lengthly blog entry I would just post a link to the recorded webinar. Enjoy and I hope you are able to gain more insight into these 2 Audit Policies.
More Info on Tracking Down File Deletes
Quite awhile ago I wrote a blog entry on Tracking Down File Deletes, it continues to be one of my most read blogs. I came across another blog entry that does a good job of explaining the same thing. The author is Ned Pyle, in his post he covers not only the Windows 2003 but also the Windows 2008 auditing so I thought I would share it with you.
Recommended Windows 2008 Audit Policy
Randy F. Smith has a good resource for the Windows 2008 Audit Policy.
Data Leakage with USB Devices
If you think that your users would never steal any data from the company then take a look at these 3 articles. Each of these show just how careless users can be with USB devices, 2 of these I’m sure were not done to harm anyone, but 1 of these definitely was.
Records loss may violate U.S. law
‘Total files’ of patients, many with HIV and AIDS, missing
“A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen, legal experts said Thursday.”
http://www.chron.com/disp/story.mpl/metropolitan/5931497.html
++++++++++++++++++++++++++
Report: Korean Execs Stole $1.8B in Trade Secrets
“Company leaders allegedly defected to rival company with 900 documents loaded onto USB drives”
http://www.darkreading.com/document.asp?doc_id=139010
+++++++++++++++++++++++++++
Nuclear Lab Breach Could Be ‘Devastating’
CBS News Exclusive: Data Found In Drug Raid Contains Weapons-Design Secrets
http://www.cbsnews.com/stories/2006/11/03/national/main2151021.shtml
Security lab may face $3.3m fine for data leak
“Classified files, computer storage devices found in trailer-park drug raid”
http://www.msnbc.msn.com/id/19752730/
++++++++++++++++++++++++++++
Added: 8/21/08
Yet another story about missing data via USB devices, this one from the UK.
Data on 130,000 criminals lost.
http://www.telegraph.co.uk/news/newstopics/politics/2601056/Data-on-130000-criminals-lost.html
++++++++++++++++++++++++++++
Added 8/21/08 Another case of someone trying to do harm.
At Countrywide, One Overlooked PC Led to Loss of 2M Records
http://www.darkreading.com/document.asp?doc_id=161548&f_src=drweekly
++++++++++++++++++++++++++++
As Admins we need to be able to track down who is using USB storage devices and what they are doing. EventTracker not only gathers your Event Logs (Windows and Syslog) but can also track when USB storage devices are used and what users copy/modify or delete from them. (www.prismmicrosys.com)
Auditing Drive Mappings
Windows does not track drive mappings for auditing out of the box.
To audit drive mappings you will need to do the following steps:
1. Turn on Object Access Auditing via Group Policy on the system(s) in question
You will need to perform the following steps on each system that you want to track the drive mappings
2. Open the registry and drill down to HKEY_CURRENT_USER\Network
3. Right click on Network and choose Permissions (if you click on the plus sign you will see each of your mapped drive listed)
4. Click on the Advanced button
5. Click on the Auditing tab then click on the Add button
6. In the Select User or Group box type in Everyone
7. This will open the Auditing dialog box
8. Select the settings that you want to audit for; stay away from the Full Control option and Read Control. I recommend the following settings: Create Subkey, Create Link and Delete.
Windows will now generate event id 560, 567 and 564 when the drive mappings are added or deleted. 564 will be generated when a mapping is deleted, 567 will be created when a mapping is deleted or added and 560 will be generated both times as well. Event ID’s 567 and 564 will not give you the full information that you are looking for, they will tell you what was done to the mappings but not WHICH mapping. To determine which mapping you will need the Handle ID code that will be found in the event description on the 564/567 events. The Handle ID will allow you to track back to the 560 event which will give you the mapping that is being added/deleted. Event ID 567 will only be generated on Windows XP or Windows 2003 systems, Windows 2000 will not generate 567.
Security Log Resource
This week has been a busy one for me. I have had several web training sessions and 2 onsite training sessions with customers this week. A question came up during one of onsites this week and I thought I would share it. The question was where did I get all my knowledge about the Windows Event Log and the various Event ID’s.
The answer is a simple 2 part answer. Part 1 –> Repetition, repetition, repetition. I have been analyizing event logs for more than 3 years now and before that I was a Sys Admin. Looking at the events day in and day you tend to get them stuck in your head. Part 2 –> Resources such as the information that I’ve learned from reading Randy F. Smith’s book and reviewing his course documentation and visiting his web site: www.ultimatewindowssecurity.com. I have put a link to a new feature on Randy’s site, WinSecWiki, under my Blogrolls. I also attend his webinars to get more info. Randy has good insite to the Security log. I have also had several conversations with Randy.
From time to time I will contribute to Randy’s Wiki, I will be posting under my first name on his site.
If anyone has any questions about Windows Events or the Windows Audit Policy feel free to ask.
Tracking Down Audit Policy Changes
Yesterday I held a webinar about how to track down changes to your Audit Policy. I have had several requests for the recorded session link from the people who attended. So I thought I would share the webinar with everyone else. To view the webinar please visit: http://www.prismmicrosys.com/Support/trainingDetails.php?id=116&a=view.html
For a list of my other upcoming webinars you can visit: http://www.prismmicrosys.com/webinars.php#Log%20Management%20Secrets
They are listed under the Log Management Secrets section. I will be conducting webinars each Tuesday at 1 pm Eastern Time on various topics relating to event log management and security. Please feel free to join in the webinars.
-
Archives
- December 2009 (1)
- November 2009 (1)
- October 2009 (1)
- September 2009 (1)
- August 2009 (1)
- May 2009 (3)
- April 2009 (1)
- March 2009 (2)
- February 2009 (4)
- September 2008 (1)
- August 2008 (1)
- June 2008 (1)
-
Categories
-
RSS
Entries RSS
Comments RSS