Home > Articles > Operating Systems, Server > Microsoft Windows Server

Authentication Auditing in Windows 2000

By Rick Cook
Jul 29, 2005

Article Contents

Weeding Through Endless Possibilities
Creating and Analyzing an Audit Log
For More Information

Page 1 of 3 Next >

Rick Cook

Learn more…

Utilities for Microsoft Access: Oct 13, 2006
Pane Relief: Excel Utilities: Sep 1, 2006
Tales from the Crypt: Encrypting Laptops: Aug 25, 2006
Integrating Open Source and Windows Applications: Aug 4, 2006
The Best Data Cleaning Utilities for Windows Systems: Jul 7, 2006
Running Remotely: Remote Control for Windows: Jun 30, 2006
Designing High-Availability Windows Systems: Jun 23, 2006
Pane Relief: Virtual Operating Systems: May 12, 2006
Pane Relief: Desktop Management: Apr 14, 2006
Pane Relief: Herding Cats -- User Provisioning in Windows: Feb 24, 2006
Pane Relief: Registry Management Tools: Feb 10, 2006
Pane Relief: Rooting Around for Rootkits: Jan 27, 2006
Email Archiving: "It's Here Somewhere!": Dec 9, 2005
Windows Pane Relief: Picking Up The Pieces with Disk Defragmenters: Oct 28, 2005
Two-Factor Authentication in Windows: Oct 6, 2005
Alternate Data Streams: Threat or Menace?: Sep 16, 2005
Getting the Most from Microsoft Window's Encrypted File System: Aug 12, 2005
Authentication Auditing in Windows 2000: Jul 29, 2005
Windows' Roaming Profiles to the Rescue: Apr 29, 2005

Sorry, this author hasn't posted any blogs.

Like this article? We recommend
Windows Server 2003 Security: A Technical Reference

Authentication auditing is an essential part of protecting your Windows computers from intrusion. The big problem in Windows auditing is trying to understand what's going on, without drowning in a flood of irrelevant or useless information. If you let it do so, Windows will bury you in event notifications. Figuring out what's going on from those notifications can be a real chore. Rick Cook provides specific suggestions to start making your auditing process more informative.

Authentication is central to Windows security, and Windows 2000 Server provides a comprehensive set of authentication services. By logging and examining authentication-related events, you can detect many of the most common security problems, such as attempted intrusions and account misuse.

If you're concerned about intrusion attempts, the areas that should get the closest scrutiny are Logon events and Account Logon events. Other authentication event categories that can indicate an attempted intrusion include Directory Service access events and privilege use events. Here it's usually enough to log failed attempts.

Weeding Through Endless Possibilities

Auditing in Windows 2000 Server involves two functions. The first is logging—having the system notice the kinds of events that interest you. The other is auditing the events—examining the logged events and analyzing them to determine potential problems. The good news is that Windows will automatically log dozens of different kinds of events in a number of categories. The bad news about the good news is the potential for information overload. Even if you're just interested in authentication events, if you try to log everything you'll quickly fill tens of megabytes of disk space with data, most of which is just noise. Remember that something like an object access under Windows involves several events, each of which can be logged separately. You need to decide which classes of events (and which events in those classes) you want to log for later study. Even when you're selective, you need to make sure that you allow enough disk space for logs.

The Windows auditing and event logging system is fairly complex:

You can log events at any level from the individual workstation or user to the entire enterprise.
You can choose among a number of event categories, making the system report and log as many or as few of these categories as you want.
The logging system lets you log both successful and failed attempts to use a service. For most categories, such as account management and policy change events, it's enough to log failed attempts most of the time. However, for authentication-related categories, it's best to log both successful and failed attempts.

By logging and examining authentication-related events, you can detect attempted intrusions, account misuse, and other irregularities. Windows automatically notes many authentication-related events and allows you to log them for later analysis; for example, it's a good idea to look at Logon events and Account Logon events. Other authentication event categories that can indicate an attempted intrusion include Directory Service access events and privilege use events. Here it's usually enough to log failed attempts.

Page 1 of 3 Next >

Discussions

Additional Logging: Posted Jan 16, 2008 12:50 PM by handy14783; 0 Replies

Make a New Comment

You must log in in order to post a comment.

Related Resources

OnHomeandOffice (Video)

Recent Episodes

OnMicrosoft (Video + Audio)

Recent Episodes

See More Podcasts

Win FREE iPhone Developer Books and Videos- Introducing @InformIT Giveaways

By Jennifer Bortel on February 5, 2010 No Comments

Apples’s recent iPad announcement made our hearts flutter so we couldn’t resist making an announcement of our own!

Today marks the first ever @InformIT Giveaway!

We’ll regularly post a video like this one profiling spectacular prizes we’re giving away—from books and videos to T-shirts and other exciting stuff. Check out the video below to see the giveaways for today, and then scroll down for more prize details and instructions on how to win them!

So Far So Good: By John Traenkenschuh on February 2, 2010 No Comments; So far, Win 7 is making a thoroughbred of what has been a plough mule laptop

"Every OSX developer should have this book on their desk.": By Dustin Sullivan on February 1, 2010 No Comments; That was the sentence Mike Riley ended his recent Dr Dobb's CodeTalk review of Cocoa Programming Developer's Handbook with.