Trilight Zone Forum Index Trilight Zone
Privacy & Anonymity is our speciality !
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Gaps in Security Log

 
Post new topic   Reply to topic    Trilight Zone Forum Index -> Networking
Author Message
digital8
Second Lieutenant


Joined: 29 Sep 2005
Posts: 1002

PostPosted: Sat Oct 01, 2005 7:37 am    Post subject: Gaps in Security Log Reply with quote
You found a gap of several hours in your Security log, what does it mean?
You're reviewing the Security log on a Windows server and notice a 12 hour gap where there were no events logged. Could someone have hacked your server and tried to erase their tracks? Or was it simply a glitch of some kind, or a botched cover up of improper actions by another admin?

Start by looking at the events right at the end of the gap. Event 512 indicates that the server is booting up, so it may simply be that the server was down for 12 hours. Event 612 incidates that the audit policy on the machine was changed, usually by a GPO, so check and make sure that another admin hasn't done something they shouldn't have.

You might think that Windows Security logs are totally secure, but there's actually a free tool called WinZapper that let's someone with admin access erase any events they want to from the Security Log. One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Trilight Zone Forum Index -> Networking All times are GMT
Page 1 of 1

 


Powered by phpBB © 2001, 2005 phpBB Group