Event Log Managment

Logs .. Logs and More Logs

Do you need to track who/where/when for activities done against the OU’s in your AD?

With Windows 2003 those were difficult questions to answer, we could get some very basic information from Directory Services Auditing; but it was limited and you had to read through several cryptic events (id 566).  With the advanced auditing settings with Windows 2008 R2 you can get some better information (you can do this same thing with Windows 2008 but it has to be done via command line and applied every time servers restart).

I don’t want to bore you with Windows 2003 auditing or the command line options for Windows 2008 Domains (if you need them, I will get you the information).  So let’s just jump right to using Windows 2008 R2, because we can now apply the advanced auditing settings via Group Policy.

Now when you turn on the Advanced Audit Policy Configuration you are turning OFF the basic or standard Audit Policies.  The Advanced Audit Policy Configuration allows you to control what AD will audit at a more granular level.  Now for the focus of this discussion we are only going to talk about setting up auditing for activity on our Domain Controllers, the other systems in your environment will be a different discussion.

So where do we start so that we can answer our question at the top of this discussion?

First, turn on the correct auditing.  Open up Group Policy Management Editor and drill down as seen in Fig 1.  **Take note of the green highlight.

GPO to Track OU changesFig 1

For this discussion we are focusing on DS Access and its subcategories.  We only want to turn on Audit Directory Service Changes, see Fig 2.  This category only generates events on domain controllers and is very useful for tracking changes to Active Directory objects that have object level auditing enabled. These events not only tell you what object and property was changed and by whom but also the new value of the affected properties.

GPO part 2Fig 2

Now that we have step 1 completed, setting up AD for auditing, it’s time to configure WHAT we want to audit.  This next step is done via Active Directory Users and Computers.  Open up the properties of your AD and drill down to setup the auditing for Create and Delete Organizational Unit objects as seen in Fig 3.

Fig 3

Now we need to add more granularity so we need to do this process 1 more time and this time instead of checking boxes on the Object tab we are going to check 2 boxes on the Properties tab, see Fig 4.

Fig 4

Now that our auditing is setup what type of events can we expect to see?

Here are a few examples:

In this example (Fig 5), id 5137, we see an OU being created by the Administrator.

Fig 5

Figure 6 shows a Sub OU being created.

Fig 6

Figure 7 shows id 5139, an OU being moved.

Fig 7

Now for the best one, this one comes as a pair of messages – OU rename, part of id 5136.

Figure 8 shows the first part of the rename process.

Fig 8

Figure 9 shows the second part of the rename process.

Fig 9

Now let’s contrast all of this with an event that is part of the good old standard auditing.   Let’s take moving an OU; with the Advanced Auditing we get id 5139 (fig 7), nice and easy to read and understand.  Now here is id 4662 that you would get for the same thing with standard auditing, fig 10.

Fig 10

With standard auditing some of the other items that we looked at would be next to impossible with auditing, such as tracking when an OU is renamed and as you can see from fig 10 hard to read and understand if you did get an event.

Now if your AD is in Mixed Mode (W2k8 and W2k3) you are stuck with standard auditing.


August 16, 2012 Posted by | Audit Policy, Audting, Directory Services, Event Log, Windows 2008 | , , , , , , , , , | Leave a comment

Inside and Outside Hack Attempts

Over the last several years I have conducted quite a few webinars with Randy F. Smith on a variety of topics that relate to Windows Audit Policies and Log Management.  Two of these truly drive home the point about why you need to be looking at your logs (not just Windows but all sources; *NIX and Network Devices as well).  The first of these was conducted on Jan 20, 2009 entitled “Anatomy of a Hack: Tracking an Intruder with Security Logs” and most recently on Feb 4, 2010 entitled “Insider Gone Bad: Tracking Their Steps and Building Your Case with the Security Log “.

March 3, 2010 Posted by | Audit Policy, Audting, Event Log, Hacking, Log Management | , , , , , , , | Leave a comment

More Info on Tracking Down File Deletes

Quite awhile ago I wrote a blog entry on Tracking Down File Deletes, it continues to be one of my most read blogs.  I came across another blog entry that does a good job of explaining the same thing.  The author is Ned Pyle, in his post he covers not only the Windows 2003 but also the Windows 2008 auditing so I thought I would share it with you.

August 5, 2009 Posted by | Audit Policy, Event Log, File Deletes, Log Management, Object Access | , , , , , | Leave a comment

Recommended Windows 2008 Audit Policy

Randy F. Smith has a good resource for the Windows 2008 Audit Policy.

May 27, 2009 Posted by | Audit Policy, Windows 2008 | | Leave a comment

Data Leakage with USB Devices

If you think that your users would never steal any data from the company then take a look at these 3 articles.  Each of these show just how careless users can be with USB devices, 2 of these I’m sure were not done to harm anyone, but 1 of these definitely was. 

Records loss may violate U.S. law
‘Total files’ of patients, many with HIV and AIDS, missing

“A low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen, legal experts said Thursday.”



Report: Korean Execs Stole $1.8B in Trade Secrets

“Company leaders allegedly defected to rival company with 900 documents loaded onto USB drives”



Nuclear Lab Breach Could Be ‘Devastating’
CBS News Exclusive: Data Found In Drug Raid Contains Weapons-Design Secrets


Security lab may face $3.3m fine for data leak
“Classified files, computer storage devices found in trailer-park drug raid”



Added: 8/21/08 

Yet another story about missing data via USB devices, this one from the UK.

Data on 130,000 criminals lost.



Added 8/21/08  Another case of someone trying to do harm.

At Countrywide, One Overlooked PC Led to Loss of 2M Records



As Admins we need to be able to track down who is using USB storage devices and what they are doing. 

**Missed another link; July 23, 2011;  Do to some unforseen issues at Prism I can no longer in good faith promote their product or services and I have removed all links to their website.


August 14, 2008 Posted by | Audit Policy, Audting, USB Devices | , , | Leave a comment

Auditing Drive Mappings

Windows does not track drive mappings for auditing out of the box. 

To audit drive mappings you will need to do the following steps:

1.       Turn on Object Access Auditing via Group Policy on the system(s) in question

You will need to perform the following steps on each system that you want to track the drive mappings

2.       Open the registry and drill down to HKEY_CURRENT_USER\Network

3.       Right click on Network and choose Permissions  (if you click on the plus sign you will see each of your mapped drive listed)

4.       Click on the Advanced button

5.       Click on the Auditing tab then click on the Add button

6.       In the Select User or Group box type in Everyone

7.       This will open the Auditing dialog box

8.       Select the settings that you want to audit for; stay away from the Full Control option and Read Control.  I recommend the following settings: Create Subkey, Create Link and Delete.

Windows will now generate event id 560, 567 and 564 when the drive mappings are added or deleted.  564 will be generated when a mapping is deleted, 567 will be created when a mapping is deleted or added and 560 will be generated both times as well.  Event ID’s 567 and 564 will not give you the full information that you are looking for, they will tell you what was done to the mappings but not WHICH mapping.  To determine which mapping you will need the Handle ID code that will be found in the event description on the 564/567 events.  The Handle ID will allow you to track back to the 560 event which will give you the mapping that is being added/deleted.  Event ID 567 will only be generated on Windows XP or Windows 2003 systems, Windows 2000 will not generate 567.

March 13, 2008 Posted by | Audit Policy, Audting, Event Log, Object Access | , , | Leave a comment

Security Log Resource

This week has been a busy one for me.  I have had several web training sessions and 2 onsite training sessions with customers this week.  A question came up during one of onsites this week and I thought I would share it.  The question was where did I get all my knowledge about the Windows Event Log and the various Event ID’s.

The answer is a simple 2 part answer. Part 1 –> Repetition, repetition, repetition.  I have been analyizing event logs for more than 3 years now and before that I was a Sys Admin.  Looking at the events day in and day you tend to get them stuck in your head.  Part 2 –> Resources such as the information that I’ve learned from reading Randy F. Smith’s book and reviewing his course documentation and visiting his web site: www.ultimatewindowssecurity.com.  I have put a link to a new feature on Randy’s site, WinSecWiki, under my Blogrolls.  I also attend his webinars to get more info.  Randy has good insite to the Security log.  I have also had several conversations with Randy.

From time to time I will contribute to Randy’s Wiki, I will be posting under my first name on his site. 

If anyone has any questions about Windows Events or the Windows Audit Policy feel free to ask.

January 17, 2008 Posted by | Audit Policy, Event Log, Log Management | , , | Leave a comment

Tracking Down Audit Policy Changes

Yesterday I held a webinar about how to track down changes to your Audit Policy.  I have had several requests for the recorded session link from the people who attended.  So I thought I would share the webinar with everyone else.  To view the webinar please visit:

**Feb 14, 2011; Do to some unforseen issues at Prism I can no longer in good faith promote their product or services and I have removed all links to their website.

January 17, 2008 Posted by | Audit Policy, Audting, Event Log, Log Management | , , , | Leave a comment