The policy change itself could be logged, depending on the "audit policy change" setting, but this event could be deleted from the log using Winzapper and from that point onward, the activity would not generate a trail in the Security Log. Īnother way to defeat the Security Log would be for a user to log in as Administrator and change the auditing policies to stop logging the unauthorized activity he intends to carry out.
#WINDOWS DST VIEWER WINDOWS#
Randy Franklin Smith's Ultimate Windows Security points out that given the ability of administrators to manipulate the Security Log to cover unauthorized activity, separation of duty between operations and security-monitoring IT staff, combined with frequent backups of the log to a server accessible only to the latter, can improve security. It is possible to set the log to not overwrite old events, but as Chris Benton notes, "the only problem is that NT has a really bad habit of crashing when its logs become full". A partial defense against this is to increase the maximum log size so that a greater number of events will be required to flood the log. This makes it susceptible to attacks in which an intruder can flood the log by generating a large number of new events. Īs the log approaches its maximum size, it can either overwrite old events or stop logging new events. A defense against this is to set up a remote log server with all services shut off, allowing only console access. For this reason, once the Administrator account has been compromised, the event history as contained in the Security Log is unreliable. In addition, an Administrator can use Winzapper to delete specific events from the log.
It is also possible to filter the log using customized criteria.Īdministrators are allowed to view and clear the log (there is no way to separate the rights to view and clear the log). Third-party utilities have been developed to help identify suspicious trends. The sheer number of loggable events means that security log analysis can be a time-consuming task. The categories of events that can be logged are: Windows 2000 Web Server, for instance, does not log IP addresses for successful logins, but Windows Server 2003 includes this capability. Depending on the version of Windows and the method of login, the IP address may or may not be recorded. If the audit policy is set to record logins, a successful login results in the user's user name and computer name being logged as well as the user name they are logging into.
0 kommentar(er)
