Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Windows Log

from [Nick Duda] Network Security [Permanent Link]
Subject: RE: Windows Log
Date: Fri, 20 Jan 2006 14:49:45 -0500 

Does anyone have an example of a script like you mention...I'ev been playing 
with everything, apparently not.

Thanks for all the replies so far,
Nick

-----Original Message-----
From: Ramsdell, Scott [mailto:sramsdell@stinsonmoheck.com]
Sent: Friday, January 20, 2006 1:28 PM
To: Nick Duda; security-basics@securityfocus.com
Subject: RE: Windows Log

Nick,

EventIDs and LogonTypes generated for different types of successful logons:

1.  Interactive console logons (at the keyboard, or through KVM) generate 
EventID 528 and LogonType 2.  This is recorded on the local workstation or 
server.

2.  Interactive logons resuming from a password protected screen saver generate 
EventID 528 and LogonType 7.  This is also recorded on the local box.

3.  Logging off generates EventID 538 with LogonType 2 or 7 depending on if the 
user logged out of Windows (2) or the screen saver came on (7).

4.  Users logging into the domain generate EventID 540 LogonType 3 on the 
domain controller.  This indicates a successful logon across the network to a 
shared resource such as the SYSVOL and netlogon shares to process GPOs and read 
scripts.

5.  Users logging out of the domain disconnect from SYSVOL and netlogon, so 
this generates EventID 538 LogonType 3 on the DC.

LogonType 2 = interactive (keyboard or KVM)
LogonType 3 = across the network
LogonType 7 = screen saver

VBScript can query machines for those events using WMI.  For what you want, you 
will have to query each of your DCs for EventID 540 LogonType 3 events.

Alternatively, in an AD environment you can monitor logon and logoff through 
GPOs.  Simply write a script that dumps username, workstation and time to a 
centrally located repository.  Then assign that script in a GPO under "User 
Configuration\Windows Settings\Scripts\Logon" and "User Configuration\Windows 
Settings\Scripts\Logoff". 

As "List Spam" points out below, you don't want to limit the logging your DC 
collects, you might need it for something else.  Simply query for what you 
need, or dump what you need.

Regards,
Scott


-----Original Message-----
From: Nick Duda [mailto:nduda@VistaPrint.com]
Sent: Thursday, January 19, 2006 8:56 AM
To: security-basics@securityfocus.com
Subject: RE: Windows Log


To continue this topic, I'm faced with the same thing....

The problem is that with all these event id's 672, 673, 540...etc there is 
still no positive way to say , when a user logged on (via cntrl,alt delete) and 
logged off, as in shutdown or log off.


My goal, is to use syslog or some other form of monitoring to keep records of 
each employees logon/logoff of a PC physically on the network. I've been knee 
deep into all these event id's and nothing is accurate.


Please help.

-----Original Message-----
From: List Spam [mailto:listspam@gmail.com]

Sent: Tuesday, January 17, 2006 10:08 AM
To: security-basics@securityfocus.com
Subject: Re: Windows Log

There are many types of logins that can be performed in an an AD
environment.  Among these are full desktop logins by a user (aka
interactive login), non-interactive network logins (e.g. mount a
share), computer accounts authenticating to the domain, etc.

I would venture a guess that you don't want to disallow the ability to
log other security events, but want to easily find login events of
some type (see above) without having to wade through the full set of
logged data.  If this is the case, you could simply filter the logs to
show the event id that is specific to the action you are looking to
see.

You could use the built-in "Event Viewer" application for it,
EventCombMT (Google it), one of the resource kit log dumping
utilitities, VBScripts, or just about anything else to export this
info.  Some VBScript examples are below:

http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/defaultmspx

I dare say that if you're trying to audit security on a box, you don't
want to hack up the data collection facility, but want to simply get
better use from that data.

My two cetns.

On 1/16/06, Rod <rod.rio@gmail.com> wrote:

Hi all,

I have a Win2k Server, who is my Domain Controller, and I'd like it to
log only the LOGON/LOGOFF events. I know that there are a whole class
of logon/logoff events, but I´d like to log only when a user logon
into a machine in the domain.

Hope I was clear... thx


--
Rodrigo M. T. Fernandez
Departamento de Ciência da Computação UFRJ
Grupo de Respostas a Incidentes de Segurança - GRIS UFRJ
www.dcc.ufrj.br | www.gris.dcc.ufrj.br

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------




---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management

education and the case study affords you unmatched consulting experience.

Tailor your education to your own professional goals with degree

customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------




---------------------
Confidentiality note:
The information in this email and any attachment may contain

confidential and proprietary information of VistaPrint and/or

its affiliates and may be privileged or otherwise protected

from disclosure. If you are not the intended recipient,

you are hereby notified that any review, reliance or distribution

by others or forwarding without express permission is strictly

prohibited and may cause liability. In case you have received this
message due to an error in transmission, please notify the sender

immediately and to delete this email and any attachment from your

system.
---------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


This communication is from a law firm and may contain confidential and/or 
privileged information. If it has been sent to you in error, please contact the 
sender for instructions concerning return or destruction, and do not use or 
disclose the contents to others.



---------------------
Confidentiality note:
The information in this email and any attachment may contain
confidential and proprietary information of VistaPrint and/or
its affiliates and may be privileged or otherwise protected
from disclosure. If you are not the intended recipient,
you are hereby notified that any review, reliance or distribution
by others or forwarding without express permission is strictly
prohibited and may cause liability. In case you have received this
message due to an error in transmission, please notify the sender
immediately and to delete this email and any attachment from your
system.
---------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: email attachement/extension block list, Aastra Security Support
Next by Date:  Re: question: Linksys 54G WAP - SSID name change issue, Leif Ericksen
Previous by Thread:  RE: Windows Log, dave kleiman
Next by Thread:  Re: Windows Log, List Spam
Indexes:  [Date] [Thread] [Top] [All Lists]