Win2K logs event ID 517 (audit log was cleared) whenever someone clears the Security log. (Win2K records this event in the new log.) Event ID 517 might reveal intruders who tried to cover their tracks.
Win2K logs several other events at system startup. The OS logs an occurrence of event ID 515 (trusted logon process has registered with the LSA) for each logon process that starts. (Logon processes, a component of the Win2K security subsystem, handle logons.) Win2K also logs an occurrence of event ID 514 (authentication package has been loaded by the LSA) for each authentication package that the OS loads. (Authentication packages support various authentication protocols such as Kerberos, NT LAN Manager—NTLM—and Secure Sockets Layer—SSL.) The OS logs an occurrence of event ID 518 (the SAM has loaded a notification package) for each notification package that Win2K loads; the standard notification packages are scecli, kdcsvc, and rassfm. (Notification packages are special DLLs that you can develop and install to synchronize passwords with other systems or to implement special password rules. However, attackers can use notification packages to steal passwords. Question any nonstandard notification packages, which could be Trojan horses.)
A Well-Rounded Arsenal
Win2K provides an impressive array of auditing facilities, including several enhancements over NT auditing. However, Win2K auditing also includes some significant bugs, and Win2K's Group Policy application process means that you can't always identify who changed a policy because administrators no longer make policy changes directly. If complete and accurate auditing is important to you, let Microsoft know that it needs to fix these bugs and that Win2K needs more granular auditing of policy changes that occur through GPOs.
Related Articles in Previous Issues
This article is the fifth in Randy Franklin Smith's series about the Windows 2000 Security log. You can find similar information about the Windows NT Security log in Randy's previous series. You can read these articles online at http://www.win2000mag.com.
WIN2K SECURITY LOG ARTICLES
"Keeping Tabs on Object Access," June 2001, InstantDoc ID 20563
"Mining the Win2K Security Log," April 2001, InstantDoc ID 20052
"Audit Account Logon Events," March 2001, InstantDoc ID 19677
"Tracking Logon and Logoff Activity in Win2K,"
February 2001, InstantDoc ID 16430 NT SECURITY LOG ARTICLES
"Archiving and Analyzing the NT Security Log," August 2000, InstantDoc ID 9043
"Protecting the NT Security Log," July 2000, InstantDoc ID 8785
"Monitoring Privileges and Administrators in the NT Security Log,"
June 2000, InstantDoc ID 8696
"Interpreting the NT Security Log," April 2000, InstantDoc ID 8288
"Introducing the NT Security Log," March 2000, InstantDoc ID 8056
On Sunday, the Times of London reported that Microsoft had renewed talks with failing Internet giant Yahoo! and would manage its search engine for 10 years, while Yahoo! would retain control of its email, messaging, and content services. This report ...
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
