Forum

Ultimate Windows Security Forum » Windows Security Settings » What are the most relevant windows events to...

What are the most relevant windows events to...

Rate Topic

Display Mode

Topic Options

Author

Message

carlos.alcocer

Posted 10/24/2013 5:47:05 PM

Forum Newbie

Group: Forum Members
Last Login: 10/24/2013 11:50:57 AM
Posts: 2, Visits: 0

Hi all,

We have a list of suspicious users and we want to monitor these users within the AD servers and workstations.

You want to monitor the actions taken by these these users such as:

- Changing audit policy

- Access to objects

- Installation / uninstall service

- Access / modification of files

Regards,

Post #1268

derekthomas

Posted 11/18/2013 9:50:12 PM

Supreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0

Event ID 4719 will tell you when a system audit policy was changed. Event ID 4663 will tell you if permissions were actually exercised on an object. Object access monitoring has to be turned on. Event ID 4697 will identify who (often System) installed the service.

Post #1291

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 10:52pm

Upcoming Webinars

Threat Hunting: Real Intrusions by State-Sponsored and eCrime Groups

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.