|
Nine security event categories that can be configured to generate events:
- Account logon events – Generates "success" or "failure"
events, whenever a domain controller receives a logon request.
- Account management - Generates "success" or "failure"
events, whenever a user account or group is created, renamed, changed
or deleted. (Including when passwords are changed, and user accounts
are enabled or disabled).
- Directory Service Access - Generates "success" or "failure"
events whenever an Active Directory object is accessed/changed. (Also
generates events in another event log on Windows 2000 Domain Controllers).
- Logon events – Generates "success" or "failure"
events whenever a user logs in or out of the system. (Includes when
a user connects or disconnects from a system, from either an interactive,
or network login).
- Object access - Generates "success" or "failure"
events whenever a "user specified object ( a file, directory, registry
key, or printer)", is accessed or changed.
- Policy Change - Generates a success or failure events, whenever a
user makes high-level changes to the security policies. (This includes
anything from changing user rights and privileges to audit policies).
- Privilege Use - Generates "success" or "failure"
events whenever a user makes use of certain administrative privileges,
(which you may have assigned to that user).
- Process Tracking - Generates "success" or "failure"
events whenever a process is launched, a handle to an object is duplicated,
objects are accessed indirectly, or a process exits.
- System Events - Generates "success" or "failure"
events whenever an event effecting the entire system occurs. (E.g. system
shut down or restart, or security log full).
Standard Windows logging is sadly lacking. There is no real-time logging
facility and Windows has no direct way of notifying you of errors. Logs
are also spread around systems and there is no simple way to manage
them. Fortunately there are add-in products that can help. See: GFI
Languard.
|
