Search This Blog

Thursday, January 22, 2009

Detecting Suspicious Logon Attempts with the Windows 2008 and 2003 Security Logs

This is a key training topic for those of you trying to meet compliance requirements.  Just about every regulation out there requires you to review failed logons but offer no guidance on what to look for.

Distinguishing malicious logon failures from innocent logon failures is challenging for a variety of reasons:
• The logon failure codes in the security log are the same whether the user mistyped his password or an attacker is trying to guess the password
• Some Windows clients and applications make more than one logon attempt per user attempt thus inflating the number of innocent logon failures
• Windows logs logon failures 2 different ways on 2 different systems
• Confusion over the meaning of logon failure codes

In this real training (TM) webinar I first acquaint you with the 2 different audit categories used for tracking logon failures – Logon/Logoff and Account Logon and show you the difference between the 2.  

In this webinar I’ll be using Windows Server 2008 for demonstrations and feature its new 4 digit event IDs but I will be sure to point out the corresponding 3 digit event IDs in Windows Server 2000/2003 and note any other differences between these versions of Windows.

Next I’ll share my tips for building your alert rules and reports to try to recognize malicious logon failures that indicate an attack.  We’ll use a variety of techniques – some simple and others that require some sophisticated analysis logic from your log management solution.  This will be real training on a very important area of the Windows security log. 
 
Click here to register
 
CAN'T MAKE THE LIVE EVENT? REGISTER ANYWAY TO GET THE RECORDED VERSION.

Title: Detecting Suspicious Logon Attempts with the Windows 2008 and 2003 Security Logs
Date: Wednesday, February 4, 2009 12:00 PM - 1:00 PM EST

To make this webinar possible your registration data will be shared with our sponsor.

This is real training.

Space is limited.
Reserve your Webinar seat now at: 
 https://www2.gotomeeting.com/register/974277065

Thanks as always for reading and best wishes on security,
Randy Franklin Smith

Subscription Information
 
 
You can unsubscribe below but try fine-tuning what type of information I send you.  I have 5 different categories emails I send out - you can choose which to receive .

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.

Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)