Solved

Security Event Logs

Posted on 2009-04-03
7
168 Views
Last Modified: 2013-12-04
I would like to know:
if by default windows servers and workstations log an event when a user logs on, shuts down, power on the machine.

how to audit windows servers that are members of the domain about  user log on, shuts down, power on the machine.

how to audit windows DCs about  user log on, shuts down, power on the machine.


Thanks
0
Comment
Question by:jskfan
  • 4
  • 3
7 Comments
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 24059570
By default the following are enabled on Windows Server 2003

Audit Account Logon - Success
Audit Logon - Success

Account logon events are logged on Domain Controllers in the Security event log.  These events correspond to network logons (the use of domain credentials).  Logon events are logged on member servers and workstations in the Security event log.  These events correspond to local logons.

Also, shut downs and restarts are audited.  These can be gleaned from System event logs on both members servers and Domain Controllers by looking for events corresponding to source "eventlog".  An entry will be generated with source eventlog when the machine is shut down and again when it is powered up.  If a machine is shut down incorrectly (power failure), an entry won't be logged.

Auditing Policy - http://technet.microsoft.com/en-us/library/cc779526.aspx
0
 

Author Comment

by:jskfan
ID: 24061128
<<<By default the following are enabled on Windows Server 2003
Audit Account Logon - Success
Audit Logon - Success>>>>>

even if they are not member of the domain????
0
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 24061190
Audit Logon, yes.  

It does not matter whether Audit Account Logon is enabled for workgroup workstations since members of workgroups do not autheticate to DCs and do not register audit entries on DCs.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:jskfan
ID: 24062533
where can be enabled or disabled  in windows servers or workstations?
0
 
LVL 11

Accepted Solution

by:
snoopfrogg earned 500 total points
ID: 24062850
To enable auditing:

1.  Enable auditing in either Local Security Policy or a Group Policy Object scoped to the workstations/servers you want to audit.  You can modify the settings in Group Policy by going to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.

To check audit logs, open Event Viewer on the server, and then view the security event log.
0
 

Author Comment

by:jskfan
ID: 24072439
so in windows servers that are not member of the domain, don't have any auditing enabled by default. it has to be enabled and configued through local policy. Correct?
0
 
LVL 11

Expert Comment

by:snoopfrogg
ID: 24077152
As far as what levels of auditing are enabled in workgroup joined Windows Server 2003 servers, I'm not sure.  For these, you're right, you would configure auditing in Local Security Policy.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question