Microsoft has the free Event Comb which can help in scanning multiple
computer security logs for specific information. There are third party tools
such as those from Languard that can help manage security logs also.
http://www.gfi.com/lanselm/
However you will find that you need to do some detective work yourself and
evaluating your security practices. There is no "magic" tool that can
analyze your security logs and tell you exactly what happened. Since you
have been hacked twice already I would make sure that you have changed all
administrator passwords, checked the membership of the administrator groups,
enforce password complexity, enable an account lockout policy [ at least for
now] that can be used as a primitive intrusion detection, check that your
computers are current with critical updates, check your firewall
configuration, and so on. Depending on how you have responded to these hacks
you may still be vulnerable due to misconfiguration or an existing backdoor
from the other attacks. Technet Security is a good place to start to learn
how to secure your computers/network. The Microsoft Baseline Security
Analyzer should be run on your computers to check for basic vulnerabilities.
http://www.microsoft.com/technet/security/default.mspx
Things to look for in the security logs are failed logons or logons from
accounts at times that don't make sense - particularly administrator account
and strange name computer accounts accessing your network. Your firewall
logs might be helpful if you can correlate events by time of the attack and
monitor for port/protocols that should not be making it into the network
showing a problem with firewall configuration. I also highly recommend that
you download and read the free from Microsoft - Antivirus in Depth guide. It
has some excellent tips on how to try and track down exactly what happened
using common tools to examine processes, port use, services, files created
by date, etc.
http://www.microsoft.com/downloads/...e3-63a4-45a1-97b6-3fef52f63abb&DisplayLang=en
http://tinyurl.com/6xajr -- same link shorter.
Account logon events are generated on the computer that authenticated a user
for interactive logon. For a domain user that would be the domain controller
that authenticated the user. For workstation computers it would be the
computer itself. Logon events are recorded in the security log of a computer
where a user has used his credentials to access the computer such as a local
logon or network share [type 3 logon]. The link below will explain this much
more and give you a better understanding of the auditing process. --- Steve
http://www.microsoft.com/technet/security/guidance/secmod144.mspx
Nick said:
Hi
We have been having trouble with being hacked into twice now and im after
some software that can alalyze security event logs, i am auditing
account log on event
logon events
policy change
The logs are so longs and you have to go into each log to view who it was
that logged on etc, im looking for some software that can analyze it and
display it in an easy to view format.
also one other query i have is whats the differene between account logon
and logon event.
Thanks
