Windows Security Log

Last updated

The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is one of three logs viewable under Event Viewer. Local Security Authority Subsystem Service writes events to the log. The Security Log is one of the primary tools used by Administrators to detect and investigate attempted and successful unauthorized activity and to troubleshoot problems; Microsoft describes it as "Your Best and Last Defense". [1] The log and the audit policies that govern it are also favorite targets of hackers and rogue system administrators seeking to cover their tracks before and after committing unauthorized activity. [2]

Contents

Types of data logged

If the audit policy is set to record logins, a successful login results in the user's user name and computer name being logged as well as the user name they are logging into. [3] Depending on the version of Windows and the method of login, the IP address may or may not be recorded. Windows 2000 Web Server, for instance, does not log IP addresses for successful logins, but Windows Server 2003 includes this capability. [4] The categories of events that can be logged are: [5]

The sheer number of loggable events means that security log analysis can be a time-consuming task. [6] Third-party utilities have been developed to help identify suspicious trends. It is also possible to filter the log using customized criteria.

Attacks and countermeasures

Administrators are allowed to view and clear the log (there is no way to separate the rights to view and clear the log). [7] In addition, an Administrator can use Winzapper to delete specific events from the log. For this reason, once the Administrator account has been compromised, the event history as contained in the Security Log is unreliable. [8] A defense against this is to set up a remote log server with all services shut off, allowing only console access. [9]

As the log approaches its maximum size, it can either overwrite old events or stop logging new events. This makes it susceptible to attacks in which an intruder can flood the log by generating a large number of new events. A partial defense against this is to increase the maximum log size so that a greater number of events will be required to flood the log. It is possible to set the log to not overwrite old events, but as Chris Benton notes, "the only problem is that NT has a really bad habit of crashing when its logs become full". [10]

Randy Franklin Smith's Ultimate Windows Security points out that given the ability of administrators to manipulate the Security Log to cover unauthorized activity, separation of duty between operations and security-monitoring IT staff, combined with frequent backups of the log to a server accessible only to the latter, can improve security. [11]

Another way to defeat the Security Log would be for a user to log in as Administrator and change the auditing policies to stop logging the unauthorized activity he intends to carry out. The policy change itself could be logged, depending on the "audit policy change" setting, but this event could be deleted from the log using Winzapper; and from that point onward, the activity would not generate a trail in the Security Log. [12]

Microsoft notes, "It is possible to detect attempts to elude a security monitoring solution with such techniques, but it is challenging to do so because many of the same events that can occur during an attempt to cover the tracks of intrusive activity are events that occur regularly on any typical business network". [13]

As Benton points out, one way of preventing successful attacks is security through obscurity. Keeping the IT department's security systems and practices confidential helps prevent users from formulating ways to cover their tracks. If users are aware that the log is copied over to the remote log server at :00 of every hour, for instance, they may take measures to defeat that system by attacking at :10 and then deleting the relevant log events before the top of the next hour. [10]

Log manipulation is not needed for all attacks. Simply being aware of how the Security Log works can be enough to take precautions against detection. For instance, a user wanting to log into a fellow employee's account on a corporate network might wait until after hours to gain unobserved physical access to the computer in their cubicle; surreptitiously use a hardware keylogger to obtain their password; and later log into that user's account through Terminal Services from a Wi-Fi hotspot whose IP address cannot be traced back to the intruder.

After the log is cleared through Event Viewer, one log entry is immediately created in the freshly cleared log noting the time it was cleared and the admin who cleared it. This information can be a starting point in the investigation of the suspicious activity.

In addition to the Windows Security Log, administrators can check the Internet Connection Firewall security log for clues.

Writing false events to the log

It is theoretically possible to write false events to the log. Microsoft notes, "To be able to write to the Security log, SeAuditPrivilege is required. By default, only Local System and Network Service accounts have such privilege". [14] Microsoft Windows Internals states, "Processes that call audit system services . . . must have the SeAuditPrivilege privilege to successfully generate an audit record". [15] The Winzapper FAQ notes that it is "possible to add your own 'made up' event records to the log" but this feature was not added because it was considered "too nasty," a reference to the fact that someone with Administrator access could use such functionality to shift the blame for unauthorized activity to an innocent party. [8] Server 2003 added some API calls so that applications could register with the security event logs and write security audit entries. Specifically, the AuthzInstallSecurityEventSource function installs the specified source as a security event source. [16]

Admissibility in court

The EventTracker newsletter states that "The possibility of tampering is not enough to cause the logs to be inadmissible, there must be specific evidence of tampering in order for the logs to be considered inadmissible". [17]

See also

Related Research Articles

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role based security model, any user with the role of superuser can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

<span class="mw-page-title-main">Group Policy</span> Feature of the Microsoft Windows NT family of operating systems

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.

In computing, privilege is defined as the delegation of authority to perform security-relevant functions on a computer system. A privilege allows a user to perform an action with security consequences. Examples of various privileges include the ability to create a new user, install software, or change kernel functions.

Logical security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.

The graphical identification and authentication (GINA) is a component of Windows NT 3.51, Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services. GINA is a replaceable dynamically linked library that is loaded early in the boot process in the context of Winlogon when the machine is started. It is responsible for handling the secure attention sequence, typically Control-Alt-Delete, and interacting with the user when this sequence is received. GINA is also responsible for starting initial processes for a user (such as the Windows Shell) when they first log on. GINA is discontinued in Windows Vista.

<span class="mw-page-title-main">Winlogon</span> Component of Microsoft Windows operating systems

Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running. In Windows Vista and later operating systems, the roles and responsibilities of Winlogon have changed significantly.

The booting process of Windows NT is the process run to start Windows NT. The process has been changed between releases, with the biggest changes being made with Windows Vista. In versions before Vista, the booting process begins when the BIOS loads the Windows NT bootloader, NTLDR. Starting with Vista, the booting process begins with either the BIOS or UEFI load the Windows Boot Manager, which replaces NTLDR as the bootloader. Next, the bootloader starts the kernel, which starts the session manager, which begins the login process. Once the user is logged in, File Explorer, the graphical user interface used by Windows NT, is started.

<span class="mw-page-title-main">User Account Control</span> Security software

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical.

In computer log management and intelligence, log analysis is an art and science seeking to make sense of computer-generated records. The process of creating such records is called data logging.

In computing, a login session is the period of activity between a user logging in and logging out of a (multi-user) system.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

<span class="mw-page-title-main">Login</span> Process by which an individual gains access to a computer system

In computer security, logging in is the process by which an individual gains access to a computer system by identifying and authenticating themselves. The user credentials are typically some form of username and a matching password, and these credentials themselves are sometimes referred to as alogin. In practice, modern secure systems often require a second factor such as email or SMS confirmation for extra security. Social login allows a user to use existing user credentials from a social networking service to sign in to or create an account on a new website.

A roaming user profile is a file synchronization concept in the Windows NT family of operating systems that allows users with a computer joined to a Windows domain to log on to any computer on the same domain and access their documents and have a consistent desktop experience, such as applications remembering toolbar positions and preferences, or the desktop appearance staying the same, while keeping all related files stored locally, to not continuously depend on a fast and reliable network connection to a file server.

Network Level Authentication (NLA) is a feature of Remote Desktop Services or Remote Desktop Connection that requires the connecting user to authenticate themselves before a session is established with the server.

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user's password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

Control-Alt-Delete is a computer keyboard command on IBM PC compatible computers, invoked by pressing the Delete key while holding the Control and Alt keys: Ctrl+Alt+Delete. The function of the key combination differs depending on the context but it generally interrupts or facilitates interrupting a function. For instance, in pre-boot environment or in MS-DOS, Windows 3.0 and earlier versions of Windows or OS/2, the key combination reboots the computer. Starting with Windows 95, the key combination invokes a task manager or security related component that facilitates ending a Windows session or killing a frozen application.

References

  1. The NT Security Log - Your Best and Last Defense, Randy Franklin Smith
  2. Protecting the NT Security Log, Randy Franklin Smith, Windows IT Pro, July 2000.
  3. Tracking Logon and Logoff Activity in Windows 2000, Microsoft.
  4. Capturing IP Addresses for Web Server Logon Events, Randy Franklin Smith, Windows IT Pro, October 2003.
  5. Auditing Policy Categories, UltimateWindowsSecurity.com.
  6. “Five Mistakes of Security Log Analysis”, Anton Chuvakin, Ph.D., GCIA, GCIH.
  7. Access Denied: Letting Users View Security Logs, Randy Franklin Smith, July 2004 -- intermittently broken link as of 2007-9-27.
  8. 1 2 Winzapper FAQ, NTSecurity.
  9. Ultimate Guide to Logging, loggly.com
  10. 1 2 Auditing Windows NT Archived 2012-02-08 at the Wayback Machine , Chris Benton.
  11. Ultimate Windows Security, Randy Franklin Smith. Archived 2022-03-14 at the Wayback Machine
  12. Auditing Policy, Microsoft. Archived 2007-12-27 at the Wayback Machine
  13. Security Monitoring and Attack Detection, Microsoft, Aug. 29, 2006.
  14. Auditing Security Events, Microsoft.
  15. Microsoft Windows Internals, Microsoft.
  16. AuthzInstallSecurityEventSource Function, Microsoft.
  17. EventTracker Newsletter, April 2006, Will your log files stand up in court? Authentication vs. logon events? Archived 2007-06-21 at the Wayback Machine