tag:blogger.com,1999:blog-4482521283458453577.post3638121722478643295..comments2022-10-28T22:01:33.675-07:00Comments on Black Fist Security: I hate Microsoft Event Logs!Anonymoushttp://www.blogger.com/profile/10140419541264972382noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-4482521283458453577.post-56589954004987616432010-03-17T01:03:50.675-07:002010-03-17T01:03:50.675-07:00(I posted the previous anonymous entries)
From my...(I posted the previous anonymous entries)<br /><br />From my understanding, 529 is a failed interactive logon to a computer: the user typically mistyped his password at the standard login screen.<br />(See 'logon type' field. Logon type 2 is interactive, 3 is network login (file servers), 10 is remote desktop/terminal service, 7 is screensaver unlock -- though not always -- depends on the screensaver, I think, etc.)<br /><br />Next question is: local account or domain account? I know it's logged for local accounts -- I see it in my own laptop logs. I suspect it also appears for logins to a domain, but I would like to verify that in some way. This event is logged on the computer where the login screen was shown (I'm fairly certain). If it appears in a server log, with login type 2, I'd say it's a physical console login<br /><br />If it does appear for domain logins, the login attempt is preceded by kerberos-related log entries, such as 672, 673 and perhaps others, as part of domain login.<br /><br />I agree with you about MS event logs -- you have to collect them from all over the place before you can analyze things well. And then you have to know what system produced the logs: On Windows 2003, the 681 event was dropped, for instance, and replaced with a 680 with type = failure.<br /><br />The book I mentioned documents a lot of this weirdness.<br /><br />Haven't looked at 2008 myself yet, but I expect it's the same there.A. Thulinnoreply@blogger.comtag:blogger.com,1999:blog-4482521283458453577.post-62162128702277509802010-03-16T12:18:20.495-07:002010-03-16T12:18:20.495-07:00@anonymous So a 529 means that the user tried to l...@anonymous So a 529 means that the user tried to log on directly to the server I am finding it on (which is a domain controller). OK, my guess is that these 529 events are misconfigured machines trying to access a share on a domain controller.Anonymoushttps://www.blogger.com/profile/10140419541264972382noreply@blogger.comtag:blogger.com,1999:blog-4482521283458453577.post-46896939615731708812010-03-16T01:49:43.268-07:002010-03-16T01:49:43.268-07:00... and 681 is a Windows 2000 event.... and 681 is a Windows 2000 event.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4482521283458453577.post-57740151840905582262010-03-16T01:45:42.034-07:002010-03-16T01:45:42.034-07:00Logs tend to be somewhat platform specific.
I'...Logs tend to be somewhat platform specific.<br /><br />I've found 'The Windows Server 2003 Security Log revealed' by Randy Franklin Smith to be invaluable. Also check his web site 'Ultimate Windows Security' which has much of the same info on-line. <br /><br />Event 672 is related to Kerberos, only says that an authentication ticket has been granted (though this is one of the entries that is platform dependent). It typically appears on initial login, and is logged on the domain server<br /><br />529 relates to interactive logon. It's logged locally on the client!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4482521283458453577.post-30688896805306840362010-03-15T23:59:14.510-07:002010-03-15T23:59:14.510-07:00I just remembered, if you have any recommendations...I just remembered, if you have any recommendations, links as to how auditing should be configured for Domain Controllers I'd greatlly appreciate this.<br /><br />I've just started a new job and nothing but success auditing is enabled on DC's...not really what one would desire.Mihahttps://www.blogger.com/profile/12530391820802328625noreply@blogger.comtag:blogger.com,1999:blog-4482521283458453577.post-65186788729382045242010-03-15T23:46:48.228-07:002010-03-15T23:46:48.228-07:00Please let us know how this turns out. I've ne...Please let us know how this turns out. I've never really took the time to investigate these events, but have used:<br /><br />https://www.georgestarcher.com/?p=42<br />https://www.georgestarcher.com/?p=45<br /><br />in the past to get an overview (makes me wonder how accurate it was now).Mihahttps://www.blogger.com/profile/12530391820802328625noreply@blogger.com