*** Welcome to piglix ***

Windows Security Log


The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is one of three logs viewable under Event Viewer. Local Security Authority Subsystem Service writes events to the log. The Security Log is one of the primary tools used by Administrators to detect and investigate attempted and successful unauthorized activity and to troubleshoot problems; Microsoft describes it as "Your Best and Last Defense". The log and the audit policies that govern it are also favorite targets of hackers and rogue system administrators seeking to cover their tracks before and after committing unauthorized activity.

If the audit policy is set to record logins, a successful login results in the user's user name and computer name being logged as well as the user name they are logging into. Depending on the version of Windows and the method of login, the IP address may or may not be recorded. Windows 2000 Web Server, for instance, does not log IP addresses for successful logins, but Windows Server 2003 includes this capability. The categories of events that can be logged are:

The sheer number of loggable events means that security log analysis can be a time-consuming task. Third-party utilities have been developed to help identify suspicious trends. It is also possible to filter the log using customized criteria.

Administrators are allowed to view and clear the log (there is no way to separate the rights to view and clear the log). In addition, an Administrator can use Winzapper to delete specific events from the log. For this reason, once the Administrator account has been compromised, the event history as contained in the Security Log is unreliable. A defense against this is to set up a remote log server with all services shut off, allowing only console access.

As the log approaches its maximum size, it can either overwrite old events or stop logging new events. This makes it susceptible to attacks in which an intruder can flood the log by generating a large number of new events. A partial defense against this is to increase the maximum log size so that a greater number of events will be required to flood the log. It is possible to set the log to not overwrite old events, but as Chris Benton notes, "the only problem is that NT has a really bad habit of crashing when its logs become full".


...
Wikipedia

...