Reviewing the Security Event Log


To help keep administrators abreast of potential issues, Windows Vista tracks a number of security-related events in its Security log. This log file, accessible via the Event Viewer MMC snap-in, audits a variety of different success and failure events that serve to record security-related issues that have occurred on a Windows Vista system. Any user with an Administrator account can view and manage the contents of the Security log file.

The Security log in Event Viewer is a great resource for a number of reasons. First, it provides detailed information about potential security violations, such as failed user logon attempts. For example, if one user tries to log on with another's account by attempting to guess their password repeatedly, the Security log lists each failed logon attempt, including username, date, and time details - invaluable information in determining who made the logon attempt. Similarly, an entry is added to the Security log every time a user logs on successfully, allowing you to determine which users have been using your Windows Vista system, and when.

Beyond simply tracking logon events, the Security log also records details about system events (the time on the computer's clock being changed), changes to system policy settings (such as File and Printer sharing being enabled), and the use of administrative privileges. Not every event recorded in the Security log requires action on your part, but having access to detailed information about security-related events is certainly useful. In its default configuration, the Windows Vista Security log stores up to 20MB of event information, and then overwrites older entries when this file size is reached.

The Security log in Event Viewer contains two primary types of events:

  • Success Audits. Identified by a key icon, success audits display information about a security-related event that was successful, such as a user logging on to Windows Vista successfully.

  • Failure Audits. Identified by a lock icon, failure audits display information about a security-related failure, such as a user being unable to log in because he or she specified an incorrect username or password.

On Windows Vista Home systems, you cannot change the security event categories that are logged. On Windows Vista Business, Enterprise, and Ultimate edition systems, however, you can configure logging for security event categories (both success and failure events) via Local Security Policy. You'll learn more about Local Security Policy later in this chapter.

Follow these steps to review entries in the Event Viewer Security log:

  1. Click Start Control Panel Administrative Tools Event Viewer.

  2. When the User Account Control dialog box appears, click Continue.

  3. When the Event Viewer MMC opens, expand Windows Logs and click Security to view events in the Security log, as shown in Figure 4-2.

    image from book
    Figure 4-2: The Security log in Event Viewer.

  4. Double-click a Security log entry to view its details. The example shown in Figure 4-3 is a Failure Audit event in the Logon/Logoff category that was logged as a result of a user trying to log on with an incorrect password.

image from book
Figure 4-3: Reviewing the details of a failed logon attempt in the Security log.

Tip 

Although the Properties window for a specific event includes many useful pieces of information, problems can often be difficult to decipher due to the technical nature of the provided information. If you find yourself unable to determine what a logged security event actually means, try performing a search on the Microsoft Help and Support web site (http://www.support.microsoft.com) for the item's Event ID number (for example, Event ID 529). Alternatively, you can try searching for details on the EventID.net web site, available at http://www.eventid.net.

Follow these steps to configure Security log settings:

  1. Click Start Control Panel Administrative Tools Event Viewer.

  2. Expand Windows Logs, right-click Security, and click Properties. This opens the Log Properties–Security window to the General tab, as shown in Figure 4-4. Configure new Security log settings as per your preferences.

  3. To save the contents of your Security log, right-click Security in Event Viewer and then select Save Events As. Browse to an appropriate folder, give the file a descriptive name, and then click Save.

  4. When you save the Security log file, you can safely empty the active log by right-clicking Security and selecting Clear Log (and then Yes when prompted to confirm the action).

image from book
Figure 4-4: Configuring settings for the Security log.

Note 

The Windows Vista Event Viewer also includes a number of log files, including the System and Application logs. The System log is where operating system-related errors, warnings, and information events are logged, while the Application log is used to store events related to programs installed on your system - both are valuable sources of troubleshooting information. As a best practice, you should also consult the Event Viewer System and Application logs for potential issues every time you review the contents of your Security log.



PC Magazine Windows Vista Security Solutions
PC Magazine Windows Vista Security Solutions
ISBN: 0470046562
EAN: 2147483647
Year: 2004
Pages: 135
Authors: Dan DiNicolo

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net