security log anomolies

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

For the last couple of days I have noticed something strange about my
security log for w2k workgroup workstation. Yesterday (10 Feb) my security
logs only had entries up to 7 Feb. I have since looked today and i only have
entries up to 10:29 am. It is now 3:02 pm. I have connected to other pc's
and there are pc's connected to this one but they do not appear logged as
logon/logoff events. The other pc's have logged events to this pc. Auditing
of security events is enabled. All of the pc's have up to date virus
protection.

I can not find any odd processes working. There are four instances of
svchost.exe, 1 of lsass.exe , 1 of services.exe etc. Some virus' sometimes
masquarade under these names but how anybody would know when is a mystery to
me. There are lots of instances of annonymous connections in the security
log. How do I go about finding out what they are all about? I have IPtools
and have had it running over night logging connections but the only
connection appears to be to Windows Update.

Am I just being paronoid? This is not my day job. I am just the guy who has
to keep the works computers running as an addition to my day job. There is
no budget. Any advice would be greatly appreciated, even if it is to tell me
to get an expert in. At least I can then approach my bosses on this.

Cheers

Mark
 
As far as the security log, try clearing it and then make the log quite a
bit larger than default - say to 5MB for your situation in the properties of
the security log. Note while in properties the different behaviors for how
the log works when it becomes full which could explain the results you are
seeing if it was indeed full. I usually set it to overwrite events as needed
after increasing the size of the log.

Anonymous logons are normal for computers that use Windows networking,
particularly for file and print sharing and using Network Neighborhood. In a
workgroup environment these anonymous logons can be fairly numerous. I would
be more concerned about a lot of failed logon or failed account logon
events, particularly in rapid succession for the administrator account or
fir unexplained logons for the administrator's account. Be sure to use a
firewall if you are connected to the internet.

You can find out more about processes by using a free tool from SysInternals
called Process Explorer. When you see svchost or lsass check the properties
of the process and view the services tab for associated services. Tlist -s
for Windows 2000 or tasklist /svc for XP Pro/Windows 2003 can also be used
to enumerate services associated with a process. Tlist may not be installed
by default in Windows 2000 and could be a support tool or Resource Kit tool.
SysInternals also has other helpful tools such as TCPView to see port to
process mapping and Autoruns to see startup applications. The link below
should also be helpful on small office security. --- Steve

http://www.microsoft.com/smallbusiness/gtm/securityguidance/checklist/default.mspx
 
Thanks for your reply Steve. I believe that I have auditing set up to over
write the logs after 7 days. I do not actually remember setting this up so it
may be the default setting. I will have a look and try what you have
suggested. I will have a look for those tools mentioned.

cheers

Regards Mark
 
OK. I think if you increase the size of the log and set it to override as
needed you will probably see the problem go away. --- Steve
 
Cheers Steve

I have set a bigger log size as suggested and the log is now filling up again.

Regards Mark
 
Steve

Guess what? The Event log has stopped logging again!! The log spanned
yesterday (16 Feb 05) 9:00 to 16:08. Any ideas?

Regards Mark
 
Geez. I would clear it again to see what happens. Hard to believe it would
fill up that fast. You could check the size of the security .evt file to see
how large it is. I don't know how large you made it but you may want to
increase it to 10MB or more and configure to overwrite events as needed.
However if you are auditing object access and/or process tracking for
success the logs can fill up very quickly. Generally you should not be
auditing those categories unless you have a specific reason such as enabling
auditing of object access because you are auditing folders for access which
would show a loy of Event ID's for 560 and 562. --- Steve
 
Hi Steve

I have increased log to 10MB and cleared the log. Object access was set up
for logging success and failure, I have switched this off. Generally all of
the items in the log referenced logon/logoff success mostly to annonymous
connections. Is it best that I switch off success logging?

I have the following items logging success/failure:
account logon events
account management
logon events
policy change
system events

Should I prune this down? Can you please let me know what the "Effective
Settings" relates to. I do not know how these settings can be modified.

Thanks again Steve

Regards Mark
 
What you show below looks good in my opinion. It's just that auditing of
object access in particular can generate a huge amount of events especially
if you are trying to audit a lot of folders for all permissions. I see you
have both account logon and logon events enabled for success and failure. If
this is a domain controller, auditing of account logons would be most
pertinent to track domain activity. However it is not a bad idea to also
audit for logon events for at least failure on domain controllers. Effective
settings in Local Security Policy is what the actual applied policy is to a
computer. For domain computers, local and effective policy may be different
indicating that their is a domain/OU/domain controller container policy
overriding Local Security Policy. You will see that a lot on domain
controllers in particular as Domain Controller Security Policy will override
Local Security Policy for domain controllers [assuming they are in the
default domain controller container] and is where you want to configure
security policy for domain controllers. If you have too many events recorded
in the security log it makes it difficult to find anything meaningful. More
information is not always desirable. --- Steve
 
Steve

Thanks again for all your help.

Regards Mark

Steven L Umbach said:
What you show below looks good in my opinion. It's just that auditing of
object access in particular can generate a huge amount of events especially
if you are trying to audit a lot of folders for all permissions. I see you
have both account logon and logon events enabled for success and failure. If
this is a domain controller, auditing of account logons would be most
pertinent to track domain activity. However it is not a bad idea to also
audit for logon events for at least failure on domain controllers. Effective
settings in Local Security Policy is what the actual applied policy is to a
computer. For domain computers, local and effective policy may be different
indicating that their is a domain/OU/domain controller container policy
overriding Local Security Policy. You will see that a lot on domain
controllers in particular as Domain Controller Security Policy will override
Local Security Policy for domain controllers [assuming they are in the
default domain controller container] and is where you want to configure
security policy for domain controllers. If you have too many events recorded
in the security log it makes it difficult to find anything meaningful. More
information is not always desirable. --- Steve


Mark Stonestreet said:
Hi Steve

I have increased log to 10MB and cleared the log. Object access was set up
for logging success and failure, I have switched this off. Generally all
of
the items in the log referenced logon/logoff success mostly to annonymous
connections. Is it best that I switch off success logging?

I have the following items logging success/failure:
account logon events
account management
logon events
policy change
system events

Should I prune this down? Can you please let me know what the "Effective
Settings" relates to. I do not know how these settings can be modified.

Thanks again Steve

Regards Mark
Click to expand...
Click to expand...
 
No problem. I hope it works well now. --- Steve


Mark Stonestreet said:
Steve

Thanks again for all your help.

Regards Mark

Steven L Umbach said:
What you show below looks good in my opinion. It's just that auditing of
object access in particular can generate a huge amount of events
especially
if you are trying to audit a lot of folders for all permissions. I see
you
have both account logon and logon events enabled for success and failure.
If
this is a domain controller, auditing of account logons would be most
pertinent to track domain activity. However it is not a bad idea to also
audit for logon events for at least failure on domain controllers.
Effective
settings in Local Security Policy is what the actual applied policy is to
a
computer. For domain computers, local and effective policy may be
different
indicating that their is a domain/OU/domain controller container policy
overriding Local Security Policy. You will see that a lot on domain
controllers in particular as Domain Controller Security Policy will
override
Local Security Policy for domain controllers [assuming they are in the
default domain controller container] and is where you want to configure
security policy for domain controllers. If you have too many events
recorded
in the security log it makes it difficult to find anything meaningful.
More
information is not always desirable. --- Steve


Mark Stonestreet said:
Hi Steve

I have increased log to 10MB and cleared the log. Object access was set
up
for logging success and failure, I have switched this off. Generally
all
of
the items in the log referenced logon/logoff success mostly to
annonymous
connections. Is it best that I switch off success logging?

I have the following items logging success/failure:
account logon events
account management
logon events
policy change
system events

Should I prune this down? Can you please let me know what the
"Effective
Settings" relates to. I do not know how these settings can be
modified.

Thanks again Steve

Regards Mark

:

Geez. I would clear it again to see what happens. Hard to believe it
would
fill up that fast. You could check the size of the security .evt file
to
see
how large it is. I don't know how large you made it but you may want
to
increase it to 10MB or more and configure to overwrite events as
needed.
However if you are auditing object access and/or process tracking for
success the logs can fill up very quickly. Generally you should not be
auditing those categories unless you have a specific reason such as
enabling
auditing of object access because you are auditing folders for access
which
would show a loy of Event ID's for 560 and 562. --- Steve


in
message Steve

Guess what? The Event log has stopped logging again!! The log
spanned
yesterday (16 Feb 05) 9:00 to 16:08. Any ideas?

Regards Mark

:

OK. I think if you increase the size of the log and set it to
override
as
needed you will probably see the problem go away. --- Steve

"Mark Stonestreet" <[email protected]>
wrote
in
message Thanks for your reply Steve. I believe that I have auditing set
up
to
over
write the logs after 7 days. I do not actually remember setting
this
up
so
it
may be the default setting. I will have a look and try what you
have
suggested. I will have a look for those tools mentioned.

cheers

Regards Mark

:

As far as the security log, try clearing it and then make the
log
quite a
bit larger than default - say to 5MB for your situation in the
properties
of
the security log. Note while in properties the different
behaviors
for
how
the log works when it becomes full which could explain the
results
you
are
seeing if it was indeed full. I usually set it to overwrite
events
as
needed
after increasing the size of the log.

Anonymous logons are normal for computers that use Windows
networking,
particularly for file and print sharing and using Network
Neighborhood.
In a
workgroup environment these anonymous logons can be fairly
numerous. I
would
be more concerned about a lot of failed logon or failed account
logon
events, particularly in rapid succession for the administrator
account
or
fir unexplained logons for the administrator's account. Be sure
to
use
a
firewall if you are connected to the internet.

You can find out more about processes by using a free tool from
SysInternals
called Process Explorer. When you see svchost or lsass check the
properties
of the process and view the services tab for associated
services.
Tlist -s
for Windows 2000 or tasklist /svc for XP Pro/Windows 2003 can
also
be
used
to enumerate services associated with a process. Tlist may not
be
installed
by default in Windows 2000 and could be a support tool or
Resource
Kit
tool.
SysInternals also has other helpful tools such as TCPView to see
port
to
process mapping and Autoruns to see startup applications. The
link
below
should also be helpful on small office security. --- Steve

http://www.microsoft.com/smallbusiness/gtm/securityguidance/checklist/default.mspx

"Mark Stonestreet" <[email protected]>
wrote
in
message
For the last couple of days I have noticed something strange
about
my
security log for w2k workgroup workstation. Yesterday (10
Feb)
my
security
logs only had entries up to 7 Feb. I have since looked today
and
i
only
have
entries up to 10:29 am. It is now 3:02 pm. I have connected
to
other
pc's
and there are pc's connected to this one but they do not
appear
logged
as
logon/logoff events. The other pc's have logged events to
this
pc.
Auditing
of security events is enabled. All of the pc's have up to date
virus
protection.

I can not find any odd processes working. There are four
instances
of
svchost.exe, 1 of lsass.exe , 1 of services.exe etc. Some
virus'
sometimes
masquarade under these names but how anybody would know when
is a
mystery
to
me. There are lots of instances of annonymous connections in
the
security
log. How do I go about finding out what they are all about? I
have
IPtools
and have had it running over night logging connections but the
only
connection appears to be to Windows Update.

Am I just being paronoid? This is not my day job. I am just
the
guy
who
has
to keep the works computers running as an addition to my day
job.
There
is
no budget. Any advice would be greatly appreciated, even if
it
is
to
tell
me
to get an expert in. At least I can then approach my bosses
on
this.

Cheers

Mark
Click to expand...
Click to expand...
Click to expand...
 
hallo . need some advice . iv been trying to log onto one of my user
accounts (limited ) and before it logs on a message keeps popping up that
reads
'The security log on this system is full ,Log onto administrator acccount
to fix this problem '.??????????????
would appreciate any advice given thank you
 
You need to do one (or all) of the following:
1. Increase the size of the Security log
2. Clear the Security log
3. Set "Overwrite events as needed" (when maximum log size is reached).

You can perform any of these tasks by opening Event Viewer (either from
Administrative Tools) from by right-clicking My Computer, Manage, Event
Viewer. Once you open Event Viewer, select the Security log and access its
Properties (right-click). Here is what I would recommend:

Maximum log size: 4096
Set "Overwrite events as needed"

Of course, if you believe that someone is trying to hack into that computer
you should take care of that problem first.

--
Adrian Grigorof
www.eventid.net


"The security log on this computer is ful"
 
Back
Top