[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <00fe01c3a87f$8e8045f0$7b00a8c0@BillDell>
From: full-disclosure at royds.net (Bill Royds)
Subject: Windows 2000 Logout events are not monitored!
Yes, it is event number 538, 540 is logon. Sorry. This was on a Win2k pro
machine.
----- Original Message -----
From: "Darren Bennett" <DARREN.L.BENNETT@...c.com>
To: "Bill Royds" <full-disclosure@...ds.net>
Cc: "Full Disclosure" <full-disclosure@...ts.netsys.com>
Sent: Tuesday, November 11, 2003 11:36 AM
Subject: Re: [Full-Disclosure] Windows 2000 Logout events are not monitored!
: Bill,
:
: In windows 2k pro it is even 538. Are you talking about win 2k server
: only? In either case, logout events in win2k pro are broken. If anyone
: has a fix, I'd be happy to hear about it.
:
: -Darren
:
: On Mon, 2003-11-10 at 16:44, Bill Royds wrote:
: > The logout even is event number 540 in security log. All the Win2K I
manage
: > have these entries for every logout. Check your security policy to
ensure
: > that you are recording them.
: > There are in Local Security Policy MMS under Local Policies/Audit
: > Events/{Audit account logon events,Audit logon events}. YOu want both
: > success and failure to caputre a successful logoff.
: >
: > ----- Original Message -----
: > From: "Darren Bennett" <DARREN.L.BENNETT@...c.com>
: > To: "Full Disclosure" <full-disclosure@...ts.netsys.com>
: > Sent: Monday, November 10, 2003 12:42 PM
: > Subject: [Full-Disclosure] Windows 2000 Logout events are not monitored!
: >
: >
: > : It's possible this has been on the list before but I'm going to check
: > : anyway. With windows 2000 (server is the platform I have tested), when
: > : auditing of login/logout events is enabled, only login events are
: > : recorded. This appears to be a bug with Windows. I have tried applying
a
: > : patch from Microsoft that is supposed to fix this and the patch didn't
: > : work. Anyone else seen this behavior? Any suggestions on how I could
: > : record logout events without relying on MS?
: > :
: > : -Thanks,
: > :
: > : Darren
: > :
: > :
: > : -----------------------------------------------
: > : Darren Bennett - CISSP
: > : Sr. Systems Administrator/Manager
: > : Science Applications International Corporation
: > : Advanced Systems Development and Integration
: > : -----------------------------------------------
: > :
: > : _______________________________________________
: > : Full-Disclosure - We believe in it.
: > : Charter: http://lists.netsys.com/full-disclosure-charter.html
: --
: -----------------------------------------------
: Darren Bennett - CISSP
: Sr. Systems Administrator/Manager
: Science Applications International Corporation
: Advanced Systems Development and Integration
: -----------------------------------------------
:
Powered by blists - more mailing lists