Re: Windows 2000 Logout events are not monitored!

["Bill Royds" <full-disclosure () royds net>]

The logout even is event number 540 in security log. All the Win2K I manage
have these entries for every logout. Check your security policy to ensure
that you are recording them.
There are in Local Security Policy MMS under Local Policies/Audit
Events/{Audit account logon events,Audit logon events}. YOu want both
success and failure to caputre a successful logoff.

----- Original Message ----- 
From: "Darren Bennett" <DARREN.L.BENNETT () saic com>
To: "Full Disclosure" <full-disclosure () lists netsys com>
Sent: Monday, November 10, 2003 12:42 PM
Subject: [Full-disclosure] Windows 2000 Logout events are not monitored!


: It's possible this has been on the list before but I'm going to check
: anyway. With windows 2000 (server is the platform I have tested), when
: auditing of login/logout events is enabled, only login events are
: recorded. This appears to be a bug with Windows. I have tried applying a
: patch from Microsoft that is supposed to fix this and the patch didn't
: work. Anyone else seen this behavior? Any suggestions on how I could
: record logout events without relying on MS?
:
: -Thanks,
:
: Darren
:
:
: -----------------------------------------------
: Darren Bennett - CISSP
: Sr. Systems Administrator/Manager
: Science Applications International Corporation
: Advanced Systems Development and Integration
: -----------------------------------------------
:
: _______________________________________________
: Full-Disclosure - We believe in it.
: Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html