To establish a secure logging
To give an idea how to track the computer security log feature specific aspects, first need to know how to start the Security Log. Most Windows computers (except for some versions of the domain controller system) by default, not to the security log (Security Log) start logging information. This setting positive and negative, aspects of disadvantages is that, unless the user force the computer to start the log to log security events, otherwise we could not conduct any follow-up. The good news is that the log does not occur in the problem of information and tips packed full of the error message log, which is Windows Server 2003 domain controller without any warning, under the act.
Log Event tracking can use Group Policy to set up and configure, of course, you can configure local Group Policy object, but if you do, you will need to configure each computer individually. In addition, you can use Group Policy within Active Directory multiple computers set up for the logging configuration. To create a security log to track, first open a connection to the domain of computer Group Policy Management Console (GPMC, Group Policy Management Console) and log on with administrator privileges.
In the GPMC, you can see all the organizational unit (OU) (if you pre-create it) and the GPO (if you created two or more), in this article, we will assume that you have an OU, the OU in contains all the necessary information security log to track the same computer, we will use the desktop computer OU and AuditLog GPO.
Edit AuditLog GPO then expand to the following nodes:
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesAudit Policy
Type a brief description of control
Following each type of control on a brief description:
Audit account logon events - each time the user logged off from another computer, or when the audit would be the case, the computer implementation of the audit is to verify the account, the best example of this is that when users log on to their Windows XP Professional computer, always by a domain controller for authentication. As the domain controller to validate the user, this will generate events in the domain controller. In addition to Windows Server 2003 domain controller (configured to audit the success of these events or not) started to set, no operating system to start the set. The most common and best practice is for all the domain controllers and server audit these events. I also found that in many circumstances, the client will be configured to audit these events.
Audit account management - this will all management computer (configuration audit) user database user account audit-related incidents, examples of these events is as follows:
* Create a user account
* Add a user to a group
* Rename user account
* Change the password for the user account
For the domain controller, the domain account management policy will change the audit. For the server or the client is concerned, it will audit the local Security Accounts Manager (Security Accounts Manager) and the related account. In addition to Windows Server 2003 domain controller (configured to audit the success of these events or not) started to set, no operating system to start the set. The most common and best practice is for all the domain controllers and server audit these events. For the user account auditing, security logs and audit settings can not be captured.
Audit directory service access - this will and access AD objects (has been configured access control list for the SACL through the system to track user visits) of the user of events related to the audit, AD object's SACL specified in the following three things:
* Will be tracking the account (usually the user or group)
* Will be tracking the access type, such as read-only, create, modify, etc.
* On the success or failure of object access conditions
Since each object has its own SACL, will be tracked on the AD object level of control should be very accurate. In addition to Windows Server 2003 domain controller (configured to audit the success of these events or not) started to set, no operating system to start the set. Best practice is for all domain controllers in the directory service access audit startup success and failure.
Audit Login event - this will have to log on to, cancellation or networks connected to the (configured to audit logon events) computer users of all events related to the audit, a good example is that when these events when the log records, just is the user interaction domain user account to log on to the workstation when the workstation that will generate an event, rather than the validating domain controller generates. Basically, the track event is when trying to log the location, not the location of the user account exists. In addition to Windows Server 2003 domain controller (configured to audit the success of these events or not) started to set, no operating system to start the set. Usually all the computers on the network to log these events.
Audit object access - when users access an object when the object access audit will audit each event. Objects including: documents, folders, printers, registry keys and AD objects. In reality, any SACL of the object will be to cover the lost of this type of audit. As the audit of the directory access, as each object has its own SACL, word order of the individual objects of targeted audits. No object is configured to devil-audit, which means that enabling this setting does not produce any logging information. Once the set, the object of SACAL been configured, try to log on to access the object began to emerge when the table entry. Unless there is particular need to track access to certain resources, usually do not configure this level of auditing, in a highly secure environment, this level of auditing is usually enabled, and will configure a lot of resources for the audit visit.
Audit policy change - this will have on the computer three "policy" to change one of the events related to each audit, the policy areas include:
* Allocation of user rights
* Audit policy
* Trust
In addition to Windows Server 2003 domain controller (configured to audit the success of these events or not) started to set, no operating system to start the set. Best practice is to all the computers on the network configuration of this level of audit.
This level of audit is not the default configuration to keep track of all operating system events, the best approach is to all the computers on the network configuration of this level of audit.
Audit process tracking - this will in the process of computer-related audits of each event, which will include the program activation, process exit, handle duplication, and indirect object access. This level of audit will have a lot of events, and only when the application is for the purpose of troubleshooting will be configured to track time.
Audit system events - and to restart or shut down the computer-related events will be audited, and system security and security-related events log will also be tracked (when the start time of the audit). It is necessary to audit the computer configuration, not only when events need to be logged, and when the log is cleared itself when there are record. In addition to Windows Server 2003 domain controller (configured to audit the success of these events or not) started to set, no operating system to start the set. Best practice is to all the computers on the network configuration of this level of audit.
Audit type of event ID
Event ID for each audit type
In the security log of the events may produce tens of thousands, so you need to covert and decode separator annular to find to find the event, the following is that every category of the most important events (you might want to track in the security log in) :
Audit account logon events
Event ID Description
4776 - Domain controllers attempt to verify the account credentials information
4777 - Domain controller can not verify the account credentials information
4768 - requires a Kerberos authentication ticket (TGT)
4769 - requires a Kerberos authentication ticket (TGT)
4770 - Kerberos service ticket has been updated
Audit account management
Event ID Description
4741 - Computer account created
4742 - Computer account changed
4743 - Computer Account Deleted
4739 - Domain policy has changed
4782 - password hash account accessed
4727 - Security global group has been created
4728 - A user is added to the security of global group
4729 - A global group to lift the user from the security
4730 - Security global group have been deleted
4731 - Security has been created local group
4732 - A user is added to the security of the local group
4733 - A user is safe to lift the local group
4734 - Security has been deleted local group
4735 - Security has changed the local group
4737 - Security has been changed global group
4754 - Security Universal Group Created
4755 - Security universal group was created to change
4756 - A user is added to the security universal group
4757 - A universal group the user is safe to lift
4758 - Security has been deleted local group
4720 - user account has been created
4722 - Users account has been opened
4723 - trying to change the account password
4724 - trying to reset the account password
4725 - Users accounts are disabled
4726 - Users account has been deleted
4738 - Users account has been changed
4740 - Users account is locked
4765 - SID history is added to an account
4766 - An attempt to add SID History to an account fails
4767 - Users account is locked
4780 - The members of the account management group set up ACL
4781 - Account name has been changed
Event ID Xiangjie
Audit Directory Service Access
4934 - Active Directory object's attributes are copied
4935 - Copy failed start
4936 - Copy Failed end
5136 - The Directory Service object has been modified
5137 - The Directory Service object has been created
5138 - Directory service object was deleted
5139 - The Directory Service object has moved
5141 - Directory service object was deleted
4932 - Name the context of AD, a copy of synchronization has begun
4933 - Name the context of AD over a copy of synchronization
Audit logon events
4634 - Account has been canceled
4647 - Users initiate cancellation
4624 - Account already successfully logged
4625 - Account login failed
4648 - trying to use specific credentials Login
4675 - SID filtered
4649 - Discover replay attack
4778 - Session to be reconnected to a Window Station
4779 - Session disconnected to the Window Station
4800 - Workstation is locked
4801 - Workstation is unlocked
4802 - Screen saver enabled
4803 - Screen saver is disabled
5378 documents requested by the representative is not permitted by policy
5632 requires verification of wireless networks
5633 required to verify the cable network
Audit object access
5140 - Network shared object is accessed
4664 - trying to create a hard link
4985 - The state has changed
5051 - The file has been Virtualization
5031 - Windows Firewall Service to stop an application to receive inbound network connections
4698 - Program task has been created
4699 - Program mission has been deleted
4700 - Program task has been enabled
4701 - Program mission has been disabled
4702 - Program task has been updated
4657 - Registry Value was modified
5039 - Registry key is virtualization
4660 - Target deleted
4663 - trying to access an object
Audit policy change
4715 - Target the audit policy (SACL) has changed
4719 - System audit policy has been changed
4902 - Per-user audit policy table has been created
4906 - CrashOnAuditFail value has changed
4907 - Target audit settings have been changed
4706 - Create a new trust to the domain
4707 - to the trust domain has been deleted
4713 - Kerberos Policy Changed
4716 - trust domain information has been modified
4717 - System security access granted to account
4718 - System security access removed from your account
4864 - name space collision is removed
4865 - Trust forest information entry was added
4866 - Trust forest information entry was deleted
4867 - Trust forest information entry has been canceled
4704 - Users have been assigned permissions
4705 - Users privileges removed
4714 - Encryption of data recovery policy has been canceled
4944 - When opening Windows Firewall is enabled when the following policy
4945 - When opening Windows Firewall to include a rule
4946 - The Windows Firewall exception list was amended to add the rules
4947 - The Windows Firewall exception list was revised, the rules have been modified
4948 - The Windows Firewall exception list was revised, the rules have been deleted
4949 - Windows Firewall settings have been restored to the default values
4950 - Windows Firewall settings have been changed
4951 - as the major version number is not recognized by Windows Firewall, the rules have been ignored
4952 - as the major version number is not recognized by Windows Firewall, part of the rule has been ignored, the rest of the rules will be implemented
4953 - Because Windows Firewall can not resolve the rules, rules are ignored
4954 - Windows firewall group policy settings have been changed, will use the new settings
4956 - Windows Firewall active information has changed
4957 - Windows Firewall does not apply to the following rules
4958 - because of the rules related to entry is not configured, Windows Firewall will not apply the following rules:
6144 - Group Policy object in the security policy has been successfully applied
6145 - When dealing with group policy object's security policy error occurs when one or more
4670 - Target permissions have been changed
Audit privilege use
4672 - for the new distribution of privilege log
4673 - requires privilege Services
4674 - trying to attempt to operate on the object privilege
Audit system events
5024 - Windows Firewall service has started successfully
5025 - Windows Firewall service has been stopped
5027 - Windows Firewall service can not retrieve the security policy from the local store, the service will continue to implement current policy
5028 - Windows Firewall service can not resolve the new security policy, the service will continue to implement the current policy
5029 - Windows Firewall service can not initialize the driver, the service will continue to implement the current policy
5030 - Windows Firewall service can not start
5032 - Windows Firewall could not notify the user that it blocked inbound connections received an application
5033 - Windows Firewall Driver has started successfully
5034 - Windows Firewall Driver has been stopped
5035 - Windows Firewall Driver failed to start
5037 - Windows Firewall Driver detected critical runtime error, terminated.
4608-Windows is starting up
4609 - Windows is shutting down
4616 - system time is changed
4621 - Administrators from the CrashOnAuditFail recovery system, non-administrator users can now log on, and some audit activities may not be recorded
4697 - System installed in the server
4618 - Monitoring of security event pattern has occurred
To view a complete list of all events, please visit the Microsoft Web site: http://support.microsoft.com/default.aspx?scid=kb; EN-US; 947226
Summary
Microsoft will continue to cover the event viewer security log within the display of additional events, as long as you use Group Policy to set up and track you want to audit the types, you can use to track the decoding of the event environmental needs of the event. If you combine events and other technologies (such as subscription), you may create a micro-tuning event log to ensure network security.