Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 173
  • Last Modified:

Security Event Logs

I would like to know:
if by default windows servers and workstations log an event when a user logs on, shuts down, power on the machine.

how to audit windows servers that are members of the domain about  user log on, shuts down, power on the machine.

how to audit windows DCs about  user log on, shuts down, power on the machine.


Thanks
0
jskfan
Asked:
jskfan
  • 4
  • 3
1 Solution
 
snoopfroggCommented:
By default the following are enabled on Windows Server 2003

Audit Account Logon - Success
Audit Logon - Success

Account logon events are logged on Domain Controllers in the Security event log.  These events correspond to network logons (the use of domain credentials).  Logon events are logged on member servers and workstations in the Security event log.  These events correspond to local logons.

Also, shut downs and restarts are audited.  These can be gleaned from System event logs on both members servers and Domain Controllers by looking for events corresponding to source "eventlog".  An entry will be generated with source eventlog when the machine is shut down and again when it is powered up.  If a machine is shut down incorrectly (power failure), an entry won't be logged.

Auditing Policy - http://technet.microsoft.com/en-us/library/cc779526.aspx
0
 
jskfanAuthor Commented:
<<<By default the following are enabled on Windows Server 2003
Audit Account Logon - Success
Audit Logon - Success>>>>>

even if they are not member of the domain????
0
 
snoopfroggCommented:
Audit Logon, yes.  

It does not matter whether Audit Account Logon is enabled for workgroup workstations since members of workgroups do not autheticate to DCs and do not register audit entries on DCs.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
jskfanAuthor Commented:
where can be enabled or disabled  in windows servers or workstations?
0
 
snoopfroggCommented:
To enable auditing:

1.  Enable auditing in either Local Security Policy or a Group Policy Object scoped to the workstations/servers you want to audit.  You can modify the settings in Group Policy by going to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.

To check audit logs, open Event Viewer on the server, and then view the security event log.
0
 
jskfanAuthor Commented:
so in windows servers that are not member of the domain, don't have any auditing enabled by default. it has to be enabled and configued through local policy. Correct?
0
 
snoopfroggCommented:
As far as what levels of auditing are enabled in workgroup joined Windows Server 2003 servers, I'm not sure.  For these, you're right, you would configure auditing in Local Security Policy.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now