UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / IT Audit / Windows Server

XP 2014 Does our Business Have to go W7 Security Patches

adamsingercs — Sun, 13 Feb 2011 21:51:41 GMT

We run windows xp now, and support for patches is ending in 2014. Is there a way that an enterprise antivirus can protect against os exploits that will come out after 2014?

Also, all of our pcs are behind a DMZ and all have firewalls with only port 80 open. If there is an os exploit in the system can it be attacked through port 80? Does the firewall even matter in the case of an OS exploit? Please let me know, we would have to purchase all new computers to run W7, this is a big deal to our company, thanks for any input.

Security event raw text

DC — Thu, 10 Feb 2011 15:37:28 GMT

Hi,

I'm looking of a way to match entries from the description windows of a security event with what is seen in a log parser for the same event. The reason for this is to setup alerts based on the security event of someone attempting to delete a file. I'm using SCOM to do this and it uses the data that would be in the log parser. The below details the same event , the 1st display is from the description as appears in the actual event log. The other is what is in the log parser.:

A handle to an object was requested.

Subject:

Security ID: QNRL\DaveC

Account Name: DaveC

Account Domain: QNRL

Logon ID: 0x52aef

Object:

Object Server: Security

Object Type: File

Object Name: C:\Windows\System32\dsa.msc

Handle ID: 0x0

Process Information:

Process ID: 0xcd4

Process Name: C:\Windows\System32\consent.exe

Access Request Information:

Transaction ID: {00000000-0000-0000-0000-000000000000}

Accesses: READ_CONTROL

SYNCHRONIZE

ReadData (or ListDirectory)

ReadEA

ReadAttributes

WriteAttributes

Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BU)

SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;BU)

ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;BU)

ReadEA: Granted by D:(A;;0x1200a9;;;BU)

ReadAttributes: Granted by ACE on parent folder D:(A;;0x1200a9;;;BU)

WriteAttributes: Not granted

Access Mask: 0x120189

Privileges Used for Access Check: -

Restricted SID Count: 0

Log Parser:

S-1-5-21-57989841-1677128483-682003330-4426|DaveC|QNRL|0x52aef|Security|File|C:\Windows\System32\dsa.msc|0x0|{00000000-0000-0000-0000-000000000000}|%%1538
%%1541
%%4416
%%4419
%%4423
%%4424
|%%1538: %%1801 D:(A;;0x1200a9;;;BU)
%%1541: %%1801 D:(A;;0x1200a9;;;BU)
%%4416: %%1801 D:(A;;0x1200a9;;;BU)
%%4419: %%1801 D:(A;;0x1200a9;;;BU)
%%4423: %%1811 D:(A;;0x1200a9;;;BU)
%%4424: %%1805
|0x120189|-|0|0xcd4|C:\Windows\System32\consent.exe

Thanks

File and folder access audit

kemmer — Tue, 23 Nov 2010 05:15:53 GMT

I have configured auditing for file and folder access in group policies and I have also configured a SACl for the object User Home Folders. I want only audit File and Folder access by users of an administrator group. But in the security log every access is audited. So the is one MB logging entry for each file access also by a normal user

Can anyone give me an advice how I can configure the SACl that only folder and file access by users with admin rights is logged?

Auditing Folder Permissions - In detail...

security.guy — Thu, 08 Jul 2010 13:36:03 GMT

Hi,

I was wondering if anybody has any pointers on how to do "detailed" folder auditing. I am aware of enable object auditing policies and setting up Change Permission and Take Ownership on the actual folder. I am interested in determining "who" granted/revoked "what" to "whom" and "when".

So if an IT admin grants permission to a folder to a user, I'd like to be able to see the details of that activity in the event log (Windows 2003). I currently see events 560, but this only tells me a DAC was changed... how do I monitor the details of what was changed via the event log and my SIEM?

Thanks!

SOD - practically for Windows administrators

sulovsky — Tue, 23 Jun 2009 10:03:54 GMT

Hi,

During the IT audit I have hit into practical problem asked by auditees - how we can practically organise the segregation of duty in MS Windows environmnet, so that administrators would not have access to top management file server, or i.e. their Exchange mail? Of course, SOD could be applied at least to different roles of admins (MS Exchange v.s. file server admin), but as they often need to be domain admins to do their regular job, I am not sure if chance to take priviledges is not a risk. Of course, turning on audit trail could be a way, but I believe this kind of activity will be under carpet within 6m.

I was also thinking if ILP (Information leak protection) systems could not help them in this risk control?

Thanks for any open ideas,

Jiri

Should security audit policy ever include the Application and System logs?

TomMartin — Tue, 06 Jul 2010 00:48:36 GMT

Hello,
I know this site seems to be focused on the Security logs.. and for good cause. But, I was wondering if it's ever a good idea to monitor some of the other Windows logs, such as, Application and System?
Thanks,
Tom

Audit Start & Stop Event for Windows Server (7035 EventID)

legallf — Fri, 24 Jul 2009 09:03:14 GMT

Hello,

I search how to setup audit on stop and start events for Windows Service for a member server.
Event are generated in system log (7035)

How to easily obtain Event Log activity metrics

ottermaton — Fri, 01 May 2009 17:17:48 GMT

How much log data and/or how many events is a given server creating in a typical day? In a typical week? At its peak moment (Monday morning)?

This question is of particular interest for Domain Controllers, and I don't know the answer. Are there any built-in Windows tools or interfaces for displaying this type of data? Or any simple (and free) third party tools for doing so?