Actually, "logging" -- keeping a timestamped list of events (as in
"Captain's Log, Stardate whatever") -- has very little to do with "login" --
authenticating yourself to the system as an user with specific
authorizations. Well, historically, when a new or transferred sailor joined
a ship, their arrival and addition to the roster was recorded in the ship's
log, so they were "logged aboard" or "logged on"....
Anyway, the NT/2K/XP(/Vista, almost certainly) OS manages three databases
of event records, the System Log, Application Log, and Security Log. The
System Log records things like reboots and services starting and stopping.
The Application Log is available for applications to record items of
interest, and a number of the utilities that come with the OS take advantage
of that opportunity. User logins are "security events", so they go in the
Security Log. All three can be reviewed using the "Event Manager" utility
(which is reachable a couple of different ways under "Administrative
Tools").
So, if you go find the Event Manager and look in the Security Log, your
next question is going to be "Why is it empty???" The answer is simple:
the default install configuration doesn't log security events. Yes, you
read that correctly.
So if you want the system to record these events, you need to enable it
first. Except, of course, that that's not part of the Event Manager, and
it's not called "Log Security Events". You need to look in the
Administrative Tools for the Local Security Policy stuff, and find the place
to "Enable Auditing of Security Events", and turn that ON.
That's necessary, but not sufficient. Somewhere nearby is the list of
*which* security events to "audit", and by default none are enabled. There
are half a dozen categories of events, and two checkboxes for each, one
labelled "Successes" and one labeled "Failures". (A login failure typically
means someone entered an account that doesn't exist, or the wrong
password...)
A truly hardened Windows box should have all categories of Failures
audited. Some categories, like "Object Access" will generate huge numbers
of useless Successes, but login events are probably only a handful a day, so
enable auditing of Successes for that category, too.
NOW every login and logoff will cause an entry in the Security Log
recording the account, the activity attempted, and whether it succeeded or
not.
[This is the sort of feature that an administrator would typically enable
for all of the machines in a company's NT or Active Directory domain.
Micorsoft doesn't expect the average home user to ever need to know about
this stuff.]
David Gillett
CISSP CCNP MCSE CCSE
^^^^------ This one covers details like this.
On 27 Feb 2007 at 2:22, [log in to unmask] wrote:
> Since this pertains to Login Files, I have Win XP Home and am using Windows
> as my firewall, where can I go to see the log on this. I looked in Control
> Panel under Security Center, but couldn't see where or how I could review the
> Windows log. Can anyone point me in the right direction? Harriel
>
> ---------------------------------------
> Hi David,
>
> Thanks for the kind reply. According to the logs, the attempted
> outbound violations have stopped, at least for now.
>
> I have scanned this computer with just about everything that I can find
> and nothing shows up. For a long time, someone in San Marcus, TX pinged
> my computer a hundred times a day. I finally reported it to the "abuse"
> address for the ISP, but, as usual, never heard anything and I still,
> occasionally, get pinged by the San Marcus address.
>
> This is a dialup machine and a slow one at that; most of the time less
> than 28.8.
>
> Loy
Do you want to signoff PCSOFT or just change to
Digest mode - visit our web site:
http://freepctech.com/pcsoft.shtml
|