Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events.

Slides:



Advertisements
Similar presentations
This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Advertisements

Chapter Five Users, Groups, Profiles, and Policies.
Configuring Windows to run Dr.Web scanner remotely.
Mastering Windows Network Forensics and Investigation Chapter 15: Forensic Analysis of Event Logs.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies
 Overview User Accounts Groups User Rights Permissions.
Module 4: Implementing User, Group, and Computer Accounts
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Chapter 7 HARDENING SERVERS.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.
Sentry Vista Compatible Release Availability – April 09’ Compatible with Vista and Win XP Sentry Windows 7 Compatible Release Availability – April ‘09.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW  Describe the process of adding a computer to.
11 WORKING WITH COMPUTER ACCOUNTS Chapter 8. Chapter 8: WORKING WITH COMPUTER ACCOUNTS2 CHAPTER OVERVIEW Describe the process of adding a computer to.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Module 8: Implementing Administrative Templates and Audit Policy.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Chapter 7 WORKING WITH GROUPS.
Network and Active Directory Performance Monitoring and Troubleshooting NETW4008 Lecture 8.
Windows Security Mechanisms Al Bento - University of Baltimore.
Guide to MCSE , Enhanced 1 Activity 4-1: Creating and Adding Members to Global Groups Objective: Use Active Directory Users and Computers to create.
1 Chapter Overview Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing.
Guide to Operating System Security Chapter 5 File, Directory, and Shared Resource Security.
1 Chapter Overview Planning an Audit Policy Implementing an Audit Policy Using Event Viewer.
70-270: MCSE Guide to Microsoft Windows XP Professional Chapter 5: Users, Groups, Profiles, and Policies.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
Mastering Windows Network Forensics and Investigation Chapter 12: Windows Event Logs.
The Basics  Operating systems (OS) can help computer users do many things, like managing and manipulating files and folders.  Operating systems also.
Module 6: Designing Active Directory Security in Windows Server 2008.
Chapter 7: WORKING WITH GROUPS
Gorman, Stubbs, & CEP Inc. 1 Introduction to Operating Systems Lesson 12 Windows 2000 Server.
Designing Group Security Designing security groups Designing user rights.
Managing Groups, Folders, Files and Security Local Domain local Global Universal Objects Folders Permissions Inheritance Access Control List NTFS Permissions.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
11 SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL Chapter 9.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Module 3: Managing a Microsoft ® Windows ® Small Business Server Environment.
Chapter 10: Rights, User, and Group Administration.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 14: Windows Server 2003 Security Features.
Managing Local Users & Groups. OVERVIEW Configure and manage user accounts Manage user account properties Manage user and group rights Configure user.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
NetTech Solutions Supporting Users and Troubleshooting Desktop Applications on Microsoft Windows XP Instructor Richard Fredrickson.
1 Introduction to Auditing Auditing allows you to track User activities. Microsoft Windows 2000 activities. Windows 2000 records events in the security.
NetTech Solutions Security and Security Permissions Lesson Nine.
Lecture 29 Information Security
Module 10: Implementing Administrative Templates and Audit Policy.
Chapter 4 Sharing Files. FIGURE 4.0.F01: Sharing files for reading on Microsoft Windows 8.1. Used with permission from Microsoft.
Understand Audit Policies LESSON Security Fundamentals.
Copyright © 2007 Heathkit Company, Inc. All Rights Reserved PC Fundamentals Presentation 14 – Windows Security.
Windows Server 2003 群組原則設定與管理 林寶森
L Identify the “out-of-the-box” audit settings l Identify recommended minimum audit settings l Configure security event log settings to meet recommendations.
Chapter 7: Managing and Troubleshooting Group Policy.
Configuring and Managing Resource Access Lecture 5.
Chapter4 Part2. User Account Management Once Active Directory is installed and configured, you enable users to access network servers and resources through.
PERMISSION ANALYZER 2 Reports NTFS permissions from the file system combined with user and group data from the Active Directory.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Configuring the User and Computer Environment Using Group Policy Lesson 8.
Active Directory Administration
Bethesda Cybersecurity Club
Unit 6 NT1330 Client-Server Networking II Date: 7/19/2016
Presentation transcript:

Mastering Windows Network Forensics and Investigation Chapter 14: Other Audit Events

Chapter Topics: Logging of Modifications to Groups, Accounts, Policies Object Access Logs

Changes to Accounts (Win XP) Event ID 624 records account creation Event ID 642 records changes to existing accounts Event ID 626 shows accounts being activated

Changes to Accounts (Win Vista +) Event ID 4720records account creation Event ID 4738 records changes to existing accounts Event ID 4722 shows accounts being activated

Changes to Accounts (Win XP) New Account Name is account being modified Caller User Name is account causing action

Changes to Accounts (Win Vista +) New Account: Account Name is account being modified Subject: Security ID is account causing action

Changes to Accounts

Changes to Groups Changes to group membership are common ways to increase an attacker’s privilege level These events generate logs with the Event ID based on the type of group

Changes to Groups Vista + Event ID Win XP/2003 Event ID Action Indicated Member added to global security group Member removed from global security group Member added to local security group Member removed from local security group Member added to local distribution group Member removed from local distribution group 4751/ Member added to global distribution group Member removed from global distribution group Member added to universal security group Member removed from universal security group N/A665Member added to universal distribution group Member removed from universal distribution group

Changes to Groups (Win XP) The account that is impacted (added or removed from a group) is called the Member ID Group that is changed is called the Target Account Name The account that initiated the change is called the Caller User Name

Changes to Groups (Win Vista +) The account that is impacted (added or removed from a group) is called the Member: Security ID Group is the group that is changed The account that initiated the change is called the Account Name

Changes to Groups

Changes to Audit Policy Event ID 612 shows the end result of a change in audit policy

Changes to Audit Policy Event ID 4719 shows the end result of a change in audit policy

Object Access Objects include files, folders, printers, etc. Auditing must be configured for each object The object handle can be used to correlate related events in the event log

Object Access (Win XP) Event ID 560 records opening of handles Event ID 562 records closing of handles Event ID 567 shows which access permissions were actually used

Object Access (Win Vista+) Event ID 4656 records opening of handles Event ID 4658 records closing of handles Event ID 4657 shows which access permissions were actually used

Object Access

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.