RE: Windows Log

["Nick Duda" <nduda () VistaPrint com>]

Does anyone have an example of a script like you mention...I'ev been playing with everything, apparently not.

Thanks for all the replies so far,
Nick

-----Original Message-----
From: Ramsdell, Scott [mailto:sramsdell () stinsonmoheck com]
Sent: Friday, January 20, 2006 1:28 PM
To: Nick Duda; security-basics () securityfocus com
Subject: RE: Windows Log

Nick,

EventIDs and LogonTypes generated for different types of successful logons:

1.  Interactive console logons (at the keyboard, or through KVM) generate EventID 528 and LogonType 2.  This is 
recorded on the local workstation or server.

2.  Interactive logons resuming from a password protected screen saver generate EventID 528 and LogonType 7.  This is 
also recorded on the local box.

3.  Logging off generates EventID 538 with LogonType 2 or 7 depending on if the user logged out of Windows (2) or the 
screen saver came on (7).

4.  Users logging into the domain generate EventID 540 LogonType 3 on the domain controller.  This indicates a 
successful logon across the network to a shared resource such as the SYSVOL and netlogon shares to process GPOs and 
read scripts.

5.  Users logging out of the domain disconnect from SYSVOL and netlogon, so this generates EventID 538 LogonType 3 on 
the DC.

LogonType 2 = interactive (keyboard or KVM)
LogonType 3 = across the network
LogonType 7 = screen saver

VBScript can query machines for those events using WMI.  For what you want, you will have to query each of your DCs for 
EventID 540 LogonType 3 events.

Alternatively, in an AD environment you can monitor logon and logoff through GPOs.  Simply write a script that dumps 
username, workstation and time to a centrally located repository.  Then assign that script in a GPO under "User 
Configuration\Windows Settings\Scripts\Logon" and "User Configuration\Windows Settings\Scripts\Logoff". 

As "List Spam" points out below, you don't want to limit the logging your DC collects, you might need it for something 
else.  Simply query for what you need, or dump what you need.

Regards,
Scott


-----Original Message-----
From: Nick Duda [mailto:nduda () VistaPrint com]
Sent: Thursday, January 19, 2006 8:56 AM
To: security-basics () securityfocus com
Subject: RE: Windows Log


To continue this topic, I'm faced with the same thing....

The problem is that with all these event id's 672, 673, 540...etc there is still no positive way to say , when a user 
logged on (via cntrl,alt delete) and logged off, as in shutdown or log off.


My goal, is to use syslog or some other form of monitoring to keep records of each employees logon/logoff of a PC 
physically on the network. I've been knee deep into all these event id's and nothing is accurate.


Please help.

-----Original Message-----
From: List Spam [mailto:listspam () gmail com]

Sent: Tuesday, January 17, 2006 10:08 AM
To: security-basics () securityfocus com
Subject: Re: Windows Log

There are many types of logins that can be performed in an an AD
environment.  Among these are full desktop logins by a user (aka
interactive login), non-interactive network logins (e.g. mount a
share), computer accounts authenticating to the domain, etc.

I would venture a guess that you don't want to disallow the ability to
log other security events, but want to easily find login events of
some type (see above) without having to wade through the full set of
logged data.  If this is the case, you could simply filter the logs to
show the event id that is specific to the action you are looking to
see.

You could use the built-in "Event Viewer" application for it,
EventCombMT (Google it), one of the resource kit log dumping
utilitities, VBScripts, or just about anything else to export this
info.  Some VBScript examples are below:

http://www.microsoft.com/technet/scriptcenter/scripts/logs/eventlog/defaultmspx

I dare say that if you're trying to audit security on a box, you don't
want to hack up the data collection facility, but want to simply get
better use from that data.

My two cetns.

On 1/16/06, Rod <rod.rio () gmail com> wrote:
> Hi all,
>
> I have a Win2k Server, who is my Domain Controller, and I'd like it to
> log only the LOGON/LOGOFF events. I know that there are a whole class
> of logon/logoff events, but I´d like to log only when a user logon
> into a machine in the domain.
>
> Hope I was clear... thx
>
>
> --
> Rodrigo M. T. Fernandez
> Departamento de Ciência da Computação UFRJ
> Grupo de Respostas a Incidentes de Segurança - GRIS UFRJ
> www.dcc.ufrj.br | www.gris.dcc.ufrj.br
>
> ---------------------------------------------------------------------------
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The Norwich University program offers unparalleled Infosec management
> education and the case study affords you unmatched consulting experience.
> Tailor your education to your own professional goals with degree
> customizations including Emergency Management, Business Continuity Planning,
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management

education and the case study affords you unmatched consulting experience.

Tailor your education to your own professional goals with degree

customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------




---------------------
Confidentiality note:
The information in this email and any attachment may contain

confidential and proprietary information of VistaPrint and/or

its affiliates and may be privileged or otherwise protected

from disclosure. If you are not the intended recipient,

you are hereby notified that any review, reliance or distribution

by others or forwarding without express permission is strictly

prohibited and may cause liability. In case you have received this
message due to an error in transmission, please notify the sender

immediately and to delete this email and any attachment from your

system.
---------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


This communication is from a law firm and may contain confidential and/or privileged information. If it has been sent 
to you in error, please contact the sender for instructions concerning return or destruction, and do not use or 
disclose the contents to others.



---------------------
Confidentiality note:
The information in this email and any attachment may contain
confidential and proprietary information of VistaPrint and/or
its affiliates and may be privileged or otherwise protected
from disclosure. If you are not the intended recipient,
you are hereby notified that any review, reliance or distribution
by others or forwarding without express permission is strictly
prohibited and may cause liability. In case you have received this
message due to an error in transmission, please notify the sender
immediately and to delete this email and any attachment from your
system.
---------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------