Windows Security Log
Encyclopedia
The Security Log, in Microsoft Windows
, is a log that contains records of login/logout activity or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is one of three logs viewable under Event Viewer
. Local Security Authority Subsystem Service
writes events to the log. The Security Log is one of the primary tools used by Administrators to detect and investigate attempted and successful unauthorized activity and to troubleshoot problems; Microsoft describes it as "Your Best and Last Defense". The log and the audit policies that govern it are also favorite targets of hacker
s and rogue system administrator
s seeking to cover their tracks before and after committing unauthorized activity.
may or may not be recorded. Windows 2000 Web Server, for instance, does not log IP addresses for successful logins, but Windows Server 2003 includes this capability. The categories of events that can be logged are:
The sheer number of loggable events means that security log analysis can be a time-consuming task. Third-party utilities have been developed to help identify suspicious trends. It is also possible to filter the log using customized criteria.
to delete specific events from the log. For this reason, once the Administrator account has been compromised, the event history as contained in the Security Log is unreliable. A defense against this is to set up a remote log server with all services shut off, allowing only console access.
As the log approaches its maximum size, it can either overwrite old events or stop logging new events. This makes it susceptible to attacks in which an intruder can flood the log by generating a large number of new events. A partial defense against this is to increase the maximum log size so that a greater number of events will be required to flood the log. It is possible to set the log to not overwrite old events, but as Chris Benton notes, "the only problem is that NT has a really bad habit of crashing when its logs become full".
Randy Franklin Smith's Ultimate Windows Security points out that given the ability of administrators to manipulate the Security Log to cover unauthorized activity, separation of duty between operations and security-monitoring IT staff, combined with frequent backups of the log to a server accessible only to the latter, can improve security.
Another way to defeat the Security Log would be for a user to login as Administrator and change the auditing policies to stop logging the unauthorized activity he intends to carry out. The policy change itself could be logged, depending on the "audit policy change" setting, but this event could be deleted from the log using Winzapper; and from that point onward, the activity would not generate a trail in the Security Log.
Microsoft notes, "It is possible to detect attempts to elude a security monitoring solution with such techniques, but it is challenging to do so because many of the same events that can occur during an attempt to cover the tracks of intrusive activity are events that occur regularly on any typical business network".
As Benton points out, one way of preventing successful attacks is security through obscurity
. Keeping the IT department's security systems and practices confidential helps prevent users from formulating ways to cover their tracks. If users are aware that the log is copied over to the remote log server at :00 of every hour, for instance, they may take measures to defeat that system by attacking at :10 and then deleting the relevant log events before the top of the next hour.
Of course, log manipulation is not needed for all attacks. Simply being aware of how the Security Log works can be enough to take precautions against detection. For instance, a user wanting to log into a fellow employee's account on a corporate network might wait until after hours to gain unobserved physical access
to the computer in their cubicle; surreptitiously use a hardware keylogger
to obtain their password; and later login to that user's account through Terminal Services
from a Wi-Fi hotspot
whose IP address cannot be traced back to the intruder.
After the log is cleared through Event Viewer, one log entry is immediately created in the freshly cleared log noting the time it was cleared and the admin who cleared it. This information can be a starting point in the investigation of the suspicious activity.
In addition to the Windows Security Log, admins can check the Internet Connection Firewall security log for clues.
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, is a log that contains records of login/logout activity or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is one of three logs viewable under Event Viewer
Event Viewer
Event Viewer, a component of Microsoft's Windows NT line of operating systems, lets administrators and users view the event logs on a local or remote machine. In Windows Vista, Microsoft overhauled the event system.- Overview :...
. Local Security Authority Subsystem Service
Local Security Authority Subsystem Service
Local Security Authority Subsystem Service , is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens...
writes events to the log. The Security Log is one of the primary tools used by Administrators to detect and investigate attempted and successful unauthorized activity and to troubleshoot problems; Microsoft describes it as "Your Best and Last Defense". The log and the audit policies that govern it are also favorite targets of hacker
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
s and rogue system administrator
System administrator
A system administrator, IT systems administrator, systems administrator, or sysadmin is a person employed to maintain and operate a computer system and/or network...
s seeking to cover their tracks before and after committing unauthorized activity.
Types of data logged
If the audit policy is set to record logins, a successful login results in the user's user name and computer name being logged as well as the user name they are logging into. Depending on the version of Windows and the method of login, the IP addressIP address
An Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
may or may not be recorded. Windows 2000 Web Server, for instance, does not log IP addresses for successful logins, but Windows Server 2003 includes this capability. The categories of events that can be logged are:
- Account logon eventsLogin sessionIn computing, a login session is the period of activity between a user logging in and logging out of a system.On Unix and Unix-like operating systems, a login session takes one of two main forms:...
- Account management
- Directory serviceDirectory serviceA directory service is the software system that stores, organizes and provides access to information in a directory. In software engineering, a directory is a map between names and values. It allows the lookup of values given a name, similar to a dictionary...
access - Logon eventsLoginLogin is the method whereby a user obtains access to a computer system.Login may also refer to:*Magazines:** LOGiN, published by Enterbrain** ;login:, published by USENIX* Login, Carmarthenshire, an hamlet in Carmarthenshire...
- Object accessObject Manager (Windows)Object Manager is a subsystem implemented as part of the Windows Executive which manages Windows resources. Each resource, which are surfaced as logical objects, resides in a namespace for categorization. Resources can be physical devices, files or folders on volumes, Registry entries or even...
- Policy changeGroup PolicyGroup Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules that control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications, and...
- Privilege use
- Process trackingProcess (computing)In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
- System events
The sheer number of loggable events means that security log analysis can be a time-consuming task. Third-party utilities have been developed to help identify suspicious trends. It is also possible to filter the log using customized criteria.
Attacks and countermeasures
Administrators are allowed to view and clear the log (there is no way to separate the rights to view and clear the log). In addition, an Administrator can use WinzapperWinzapper
Winzapper is a freeware utility / hacking tool used to delete events from the Microsoft Windows NT 4.0 and Windows 2000 Security Log. It was developed by Arne Vidstrom as a proof-of-concept tool, demonstrating that once the Administrator account has been compromised, event logs are no longer reliable...
to delete specific events from the log. For this reason, once the Administrator account has been compromised, the event history as contained in the Security Log is unreliable. A defense against this is to set up a remote log server with all services shut off, allowing only console access.
As the log approaches its maximum size, it can either overwrite old events or stop logging new events. This makes it susceptible to attacks in which an intruder can flood the log by generating a large number of new events. A partial defense against this is to increase the maximum log size so that a greater number of events will be required to flood the log. It is possible to set the log to not overwrite old events, but as Chris Benton notes, "the only problem is that NT has a really bad habit of crashing when its logs become full".
Randy Franklin Smith's Ultimate Windows Security points out that given the ability of administrators to manipulate the Security Log to cover unauthorized activity, separation of duty between operations and security-monitoring IT staff, combined with frequent backups of the log to a server accessible only to the latter, can improve security.
Another way to defeat the Security Log would be for a user to login as Administrator and change the auditing policies to stop logging the unauthorized activity he intends to carry out. The policy change itself could be logged, depending on the "audit policy change" setting, but this event could be deleted from the log using Winzapper; and from that point onward, the activity would not generate a trail in the Security Log.
Microsoft notes, "It is possible to detect attempts to elude a security monitoring solution with such techniques, but it is challenging to do so because many of the same events that can occur during an attempt to cover the tracks of intrusive activity are events that occur regularly on any typical business network".
As Benton points out, one way of preventing successful attacks is security through obscurity
Security through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
. Keeping the IT department's security systems and practices confidential helps prevent users from formulating ways to cover their tracks. If users are aware that the log is copied over to the remote log server at :00 of every hour, for instance, they may take measures to defeat that system by attacking at :10 and then deleting the relevant log events before the top of the next hour.
Of course, log manipulation is not needed for all attacks. Simply being aware of how the Security Log works can be enough to take precautions against detection. For instance, a user wanting to log into a fellow employee's account on a corporate network might wait until after hours to gain unobserved physical access
Physical access
Physical access is a term in computer security that refers to the ability of people to physically gain access to a computer system. According to Gregory White, "Given physical access to an office, the knowledgeable attacker will quickly be able to find the information needed to gain access to the...
to the computer in their cubicle; surreptitiously use a hardware keylogger
Hardware keylogger
Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users' keystrokes, including sensitive passwords. They can be implemented via BIOS-level firmware, or alternatively, via a device plugged inline between a computer keyboard and a computer...
to obtain their password; and later login to that user's account through Terminal Services
Terminal Services
Remote Desktop Services in Windows Server 2008 R2, formerly known as Terminal Services in Windows Server 2008 and previous versions, is one of the components of Microsoft Windows that allows a user to access applications and data on a remote computer over a network, using the Remote Desktop...
from a Wi-Fi hotspot
Hotspot (Wi-Fi)
A hotspot is a site that offers Internet access over a wireless local area network through the use of a router connected to a link to an Internet service provider...
whose IP address cannot be traced back to the intruder.
After the log is cleared through Event Viewer, one log entry is immediately created in the freshly cleared log noting the time it was cleared and the admin who cleared it. This information can be a starting point in the investigation of the suspicious activity.
In addition to the Windows Security Log, admins can check the Internet Connection Firewall security log for clues.