Clik here to view.
Audit Account Logon vs Audit Logon/Logoff
Over the past several years I’ve been explaining the diffence between these two audit polices. One is for logon/logoff events the other (Account Logon) is for authentication events. In the past few...
View ArticleClik here to view.
Directory Services Auditing
I’ve been asked by a customer to take a look at their level of Directory Services Auditing. I’m not able to share their screen shots but can scrub an email that I sent to them and post it here. When...
View ArticleClik here to view.
Tracking RDP Logons
Earlier this week a customer asked me the following question: We came across a scenario where one of our sessions that we need to track events on, recorded only 683 events (rdp logoff) but zero 682...
View ArticleClik here to view.
New Website: Security Scoreboard
For those of us who are on a constant lookout for security tools a new website has been started, Security Scoreboard. From the About page Security Scoreboard was launched in 2010 for CISOs, CIOs, IT...
View ArticleClik here to view.
Inside and Outside Hack Attempts
Over the last several years I have conducted quite a few webinars with Randy F. Smith on a variety of topics that relate to Windows Audit Policies and Log Management. Two of these truly drive home the...
View ArticleClik here to view.
Webinar and Training Video links
A few days ago I was asked by a customer if I had links to all of the webinars and training videos that I put togther or been apart off. So I have started to put together that list. The first group...
View ArticleClik here to view.
Event Triggers
I have been asked this question several times so I thought it would be a good time to answer it via a blog post for everyone to use. “How can I set the Windows Event Viewer to trigger when a certain...
View ArticleClik here to view.
Logging, Logging
Here lately we’ve been hearing a lot about Stuxnet and Duqu. Well this week is no different, but there is some insight into how one of these could have been slowed down if not prevented. In an...
View ArticleClik here to view.
Do you need to track who/where/when for activities done against the OU’s in...
With Windows 2003 those were difficult questions to answer, we could get some very basic information from Directory Services Auditing; but it was limited and you had to read through several cryptic...
View ArticleClik here to view.
Tracking down ZeroAccess botnet
Normally I focus on the Windows Event Log, but today I’m going to stray into the world of firewall logs. Over the last several months I’ve been helping customers with Proof of Concepts for LogRhythm...
View ArticleClik here to view.
Detecting A Possible Reverse RDP Attack
It’s been awhile since my last post; well more than a little while. Our friends at CheckPoint wrote an article on Feb 5, 2019 about a Reverse RDP Attack,...
View Article
