Event Viewer

[Kenneth Bryant]

We are running Win2k With AD. Does anybody know what are the best events to
look for when tracking possible security breaches? Is there a website that
has what event id's to look for?

Thanks,

Kenneth

 

[Steven L Umbach]

It all depends on your security policy and needs for your situation. At bare
minimum it is a good idea to enable in Domain Controller Security Policy -
auditing of "account logon" events for success and failure, system events
for success and failure, logon events for failure, account management for
success and failure, and policy change for success and failure. For domain
computers auditing of "logon" events for success and failure, system events
for success and failure, policy change for success and failure, and account
management for success and failure is a good idea. Make sure the size of the
security logs has been increased quite a bit from default. The link below
should be helpful. --- Steve

http://www.microsoft.com/technet/security/prodtech/windows2000/secmod144.mspx

 

[Kenneth Bryant]

thank you.

It all depends on your security policy and needs for your situation. At bare
minimum it is a good idea to enable in Domain Controller Security Policy -
auditing of "account logon" events for success and failure, system events
for success and failure, logon events for failure, account management for
success and failure, and policy change for success and failure. For domain
computers auditing of "logon" events for success and failure, system events
for success and failure, policy change for success and failure, and account
management for success and failure is a good idea. Make sure the size of the
security logs has been increased quite a bit from default. The link below
should be helpful. --- Steve

http://www.microsoft.com/technet/security/prodtech/windows2000/secmod144.mspx