Forum

Ultimate Windows Security Forum » Windows Security Settings » Security Event Log - 2008 - Increased Events

Security Event Log - 2008 - Increased Events

Rate Topic

Display Mode

Topic Options

Author

Message

jcochran

Posted 8/3/2011 2:27:12 PM

Forum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5

I've noticed a massive increase of security events on 2008 R2 DC's compared to 2003. Can anyone shed any light on the new events, the volume of them, etc.?

Post #777

RandyFranklinSmith

Posted 8/9/2011 4:02:12 PM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326, Visits: 0

yes, 2008 added a number of new subcategories with new events. in particular firewall related events account for the great increase in events. you really need to start configuring audit policy at the subcategory level and disable all unneded subcategories. here are some links to help you http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008

Post #780

jcochran

Posted 8/9/2011 4:11:41 PM

Forum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5

I don't have any of the new audit categories currently enabled. Are there new sub categories to the 2003 categories?

What categorie do the firewall events go under?

Post #781

RandyFranklinSmith

Posted 8/10/2011 9:33:30 AM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326, Visits: 0

I'm pretty sure you do have them enabled. There is loads of confusion over this. Make sure you read and understand these 2 posts.

http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/OVERVIEW-Audit-Policy

http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Audit-Force-audit-policy-subcategory-settings-Windows-Vista-or-later-to-override-audit-policy-category

Post #784

jcochran

Posted 8/10/2011 6:31:25 PM

Forum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5

Now I understand. I don't have any of the new audit categories turned on, but I do have most of the existing 2003 audit categories turned on, and from what I understand, new sub categories were added to those categories. Thank you!

Post #785

RandyFranklinSmith

Posted 8/15/2011 10:26:02 AM

Expert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326, Visits: 0

Exactly!

Post #788

jcochran

Posted 2/7/2012 2:41:58 PM

Forum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5

Is there a way to get a list of all of the categories and subcategories from a 2003 server?

On 2008 R2 I ran, auditpol /get /category:*

That worked nicely. However, that command does not work with the version of auditpol on 2003.

I would LOVE to pull them all into a spreadsheet and compare them. I cannot seem to find any documentation of what subcategories specifically were added.

Obviously my objective is to filter as much noise as I can before I collect and archive my security event logs.

Thanks,

Jim

Post #909

whsmith

Posted 2/20/2012 5:46:10 PM

Security Log Nerd

Group: Administrators
Last Login: 4/16/2009 1:11:51 PM
Posts: 49, Visits: 0

There are no sub categories in Server 2003. The following 9 categories is from our book Windows 2003 Security Log Revealed:

Audit account logon events

Audit account management

Audit directory service access

Audit logon events

Audit object access

Audit policy change

Audit privilege use

Audit process tracking

Audit system events

Post #932

jcochran

Posted 2/21/2012 12:17:32 PM

Forum Newbie

Group: Forum Members
Last Login: 2/21/2012 12:17:07 PM
Posts: 5, Visits: 5

Thank you for the clarification!

Post #937

« Prev Topic | Next Topic »

Permissions

All times are GMT -5:00, Time now is 9:41am

Upcoming Webinars

AD Audits: Top 7 Questions to Answer When Auditors Look at Account Management and Access Control in Active Directory

Additional Resources

Home

Forum

User name:
Password:
	/ Forgot?
	Register

Home

About | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.