Archive

Archive for October, 2007

List of Windows Server 2003 Events

October 12th, 2007 No comments

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published “Security Event Descriptions“.  This article was the “schema” so to speak, for the Windows NT 4.0 security event log events.


Technically Windows events are not schematized until Windows Vista; or put another way the schema is implicit based on the instrumentation in the code- since the event is raised by some function in the code, the “schema” could be interpreted as the parameter order in the call to that function.


Anyway security monitoring types love that article, but I hate it.  It’s just better than nothing.  It doesn’t state which events map to which audit policy categories.  It does tell you whether the event is a succss or failure event but it doesn’t alert you to the cases where the same event is used for success and failure (e.g. event 560).


When Windows 2000 came around and we added two new audit policy categories (DS Access and Account Logon [which was a huge naming blunder]), I wrote an article for the Windows 2000 security events.  However it was so large I broke it into two articles.


I didn’t write an article for Windows Server 2003.  At first I didn’t think it was necessary because we propagated all the WS03 events to the Technet Events & Errors Message Center web site.  I wrote custom content for the top 30 or so events by volume of searches


(On a side note, did you ever wonder what happens when you click the “More Information” link at the bottom of the Event Viewer event description?  We send the event source, event ID, OS version and so forth to the Technet E&E site and display the content that is returned.  We count the number of hits for each OS Version/Source/Event ID combination and then our writing teams pester the component owners to populate that content.)


Anyway, I was making excu^h^h er, explaining why I didn’t write the KB articles for Windows Server 2003 security events.  So I thought the E&E message center would be all that anyone needed.  It didn’t strike me as that important that you had to have seen the event (or at least know it exists) before you could use the site.  However since then I have received a large number of requests for the event definitions, mainly from people who were creating security event management solutions.


So here’s what I have for you, courtesy of Ned, one of the audit log posse here at Microsoft.  If you want a complete list of WS03 security events, then I suggest you look at chapter 4 of the Windows Server 2003 Security Guide.  This documents the event IDs of all the security events on Windows Server 2003.  Plus, it groups them by policy category, in case you ever wanted to know what you are in for if you enable one of the categories for audit.  If you want the layout of the event (what data is in the description field, and in what order) then just look for that specific event on the Technet E&E site or click the link in the bottom of the event description in Event Viewer.


I’ve already described how the Vista and Windows Server 2008 (and subsequent releases) event systems are self-documenting, so I won’t go into that further here.


One last tip: If you own Microsoft System Center Operations Manager 2007, then you can search for a file called EventSchema.xml on the media.  It is an XML document that describes one possible normalization all the security events from Windows 2000 forward, and the semantic content of the normalized events.


2007-10-31 UPDATE: There is also an event-id-to-audit-policy-category map here.

Categories: Descriptions, Tips, Tools Tags:

List of Windows Server 2003 Events

October 12th, 2007 No comments

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published “Security Event Descriptions“.  This article was the “schema” so to speak, for the Windows NT 4.0 security event log events.


Technically Windows events are not schematized until Windows Vista; or put another way the schema is implicit based on the instrumentation in the code- since the event is raised by some function in the code, the “schema” could be interpreted as the parameter order in the call to that function.


Anyway security monitoring types love that article, but I hate it.  It’s just better than nothing.  It doesn’t state which events map to which audit policy categories.  It does tell you whether the event is a succss or failure event but it doesn’t alert you to the cases where the same event is used for success and failure (e.g. event 560).


When Windows 2000 came around and we added two new audit policy categories (DS Access and Account Logon [which was a huge naming blunder]), I wrote an article for the Windows 2000 security events.  However it was so large I broke it into two articles.


I didn’t write an article for Windows Server 2003.  At first I didn’t think it was necessary because we propagated all the WS03 events to the Technet Events & Errors Message Center web site.  I wrote custom content for the top 30 or so events by volume of searches


(On a side note, did you ever wonder what happens when you click the “More Information” link at the bottom of the Event Viewer event description?  We send the event source, event ID, OS version and so forth to the Technet E&E site and display the content that is returned.  We count the number of hits for each OS Version/Source/Event ID combination and then our writing teams pester the component owners to populate that content.)


Anyway, I was making excu^h^h er, explaining why I didn’t write the KB articles for Windows Server 2003 security events.  So I thought the E&E message center would be all that anyone needed.  It didn’t strike me as that important that you had to have seen the event (or at least know it exists) before you could use the site.  However since then I have received a large number of requests for the event definitions, mainly from people who were creating security event management solutions.


So here’s what I have for you, courtesy of Ned, one of the audit log posse here at Microsoft.  If you want a complete list of WS03 security events, then I suggest you look at chapter 4 of the Windows Server 2003 Security Guide.  This documents the event IDs of all the security events on Windows Server 2003.  Plus, it groups them by policy category, in case you ever wanted to know what you are in for if you enable one of the categories for audit.  If you want the layout of the event (what data is in the description field, and in what order) then just look for that specific event on the Technet E&E site or click the link in the bottom of the event description in Event Viewer.


I’ve already described how the Vista and Windows Server 2008 (and subsequent releases) event systems are self-documenting, so I won’t go into that further here.


One last tip: If you own Microsoft System Center Operations Manager 2007, then you can search for a file called EventSchema.xml on the media.  It is an XML document that describes one possible normalization all the security events from Windows 2000 forward, and the semantic content of the normalized events.


2007-10-31 UPDATE: There is also an event-id-to-audit-policy-category map here.

Categories: Descriptions, Tips, Tools Tags:

List of Windows Server 2003 Events

October 12th, 2007 Comments off

So a long time ago, back in my days of providing technical support for Windows NT 4.0, I published “Security Event Descriptions“.  This article was the “schema” so to speak, for the Windows NT 4.0 security event log events.


Technically Windows events are not schematized until Windows Vista; or put another way the schema is implicit based on the instrumentation in the code- since the event is raised by some function in the code, the “schema” could be interpreted as the parameter order in the call to that function.


Anyway security monitoring types love that article, but I hate it.  It’s just better than nothing.  It doesn’t state which events map to which audit policy categories.  It does tell you whether the event is a succss or failure event but it doesn’t alert you to the cases where the same event is used for success and failure (e.g. event 560).


When Windows 2000 came around and we added two new audit policy categories (DS Access and Account Logon [which was a huge naming blunder]), I wrote an article for the Windows 2000 security events.  However it was so large I broke it into two articles.


I didn’t write an article for Windows Server 2003.  At first I didn’t think it was necessary because we propagated all the WS03 events to the Technet Events & Errors Message Center web site.  I wrote custom content for the top 30 or so events by volume of searches


(On a side note, did you ever wonder what happens when you click the “More Information” link at the bottom of the Event Viewer event description?  We send the event source, event ID, OS version and so forth to the Technet E&E site and display the content that is returned.  We count the number of hits for each OS Version/Source/Event ID combination and then our writing teams pester the component owners to populate that content.)


Anyway, I was making excu^h^h er, explaining why I didn’t write the KB articles for Windows Server 2003 security events.  So I thought the E&E message center would be all that anyone needed.  It didn’t strike me as that important that you had to have seen the event (or at least know it exists) before you could use the site.  However since then I have received a large number of requests for the event definitions, mainly from people who were creating security event management solutions.


So here’s what I have for you, courtesy of Ned, one of the audit log posse here at Microsoft.  If you want a complete list of WS03 security events, then I suggest you look at chapter 4 of the Windows Server 2003 Security Guide.  This documents the event IDs of all the security events on Windows Server 2003.  Plus, it groups them by policy category, in case you ever wanted to know what you are in for if you enable one of the categories for audit.  If you want the layout of the event (what data is in the description field, and in what order) then just look for that specific event on the Technet E&E site or click the link in the bottom of the event description in Event Viewer.


I’ve already described how the Vista and Windows Server 2008 (and subsequent releases) event systems are self-documenting, so I won’t go into that further here.


One last tip: If you own Microsoft System Center Operations Manager 2007, then you can search for a file called EventSchema.xml on the media.  It is an XML document that describes one possible normalization all the security events from Windows 2000 forward, and the semantic content of the normalized events.


2007-10-31 UPDATE: There is also an event-id-to-audit-policy-category map here.

Categories: Descriptions, Tips, Tools Tags:

German court bans retention of logged IP addresses

October 3rd, 2007 No comments

A German court has ruled that a government web site may not retain IP addresses and other personally identifiable information (PII) in their logs for any longer than the user is actually using the site.


The judges pointed out that in many cases it was simple to map an IP address to an identity with the help of 3rd parties, and declared that logging IP addresses was a “violation of the right to informational self-determination.”


OK whatever.


Germany does not seem to be of one mind regarding logging.  On the one hand their draconian privacy laws (how’s that for an oxymoron?) are pretty much in opposition to any meaningful user activity logging.  On the other hand, their law enforcement folks at least seem to know the value of logs, even if they are a little draconian in the other direction.  Finally the article above notes that even the Bundestag, the lower house of the German Parliament, doesn’t comply with with the privacy laws that body created- the web site logs and retains PII.


Attention Germany: the privacy horse has left the barn.  Technology has far outpaced the capability of an individual to control where his or her information flows.  Expecting to both receive service from an online provider, and to remain “private” (whatever that means) from the provider, is unreasonable- and in fact denying the provider the right to log prevents the provider from systematically improving service to you.  Logging is a best practice for administrative activity, including maintenance-related activities, marketing & service planning, and security-related activities such as forensics.  Everything generates logs nowadays.  It would probably be better to write laws restricting what can be done with logs rather than to outlaw logging.  In this manner you could mitigate abuses such as those by the ambulance chasers but still provide organizations of all sorts, including the government itself, the information they need to do their jobs.


 

Categories: Laws, News, privacy, Rants Tags:

German court bans retention of logged IP addresses

October 3rd, 2007 No comments

A German court has ruled that a government web site may not retain IP addresses and other personally identifiable information (PII) in their logs for any longer than the user is actually using the site.


The judges pointed out that in many cases it was simple to map an IP address to an identity with the help of 3rd parties, and declared that logging IP addresses was a “violation of the right to informational self-determination.”


OK whatever.


Germany does not seem to be of one mind regarding logging.  On the one hand their draconian privacy laws (how’s that for an oxymoron?) are pretty much in opposition to any meaningful user activity logging.  On the other hand, their law enforcement folks at least seem to know the value of logs, even if they are a little draconian in the other direction.  Finally the article above notes that even the Bundestag, the lower house of the German Parliament, doesn’t comply with with the privacy laws that body created- the web site logs and retains PII.


Attention Germany: the privacy horse has left the barn.  Technology has far outpaced the capability of an individual to control where his or her information flows.  Expecting to both receive service from an online provider, and to remain “private” (whatever that means) from the provider, is unreasonable- and in fact denying the provider the right to log prevents the provider from systematically improving service to you.  Logging is a best practice for administrative activity, including maintenance-related activities, marketing & service planning, and security-related activities such as forensics.  Everything generates logs nowadays.  It would probably be better to write laws restricting what can be done with logs rather than to outlaw logging.  In this manner you could mitigate abuses such as those by the ambulance chasers but still provide organizations of all sorts, including the government itself, the information they need to do their jobs.


 

Categories: Laws, News, privacy, Rants Tags:

German court bans retention of logged IP addresses

October 3rd, 2007 Comments off

A German court has ruled that a government web site may not retain IP addresses and other personally identifiable information (PII) in their logs for any longer than the user is actually using the site.


The judges pointed out that in many cases it was simple to map an IP address to an identity with the help of 3rd parties, and declared that logging IP addresses was a “violation of the right to informational self-determination.”


OK whatever.


Germany does not seem to be of one mind regarding logging.  On the one hand their draconian privacy laws (how’s that for an oxymoron?) are pretty much in opposition to any meaningful user activity logging.  On the other hand, their law enforcement folks at least seem to know the value of logs, even if they are a little draconian in the other direction.  Finally the article above notes that even the Bundestag, the lower house of the German Parliament, doesn’t comply with with the privacy laws that body created- the web site logs and retains PII.


Attention Germany: the privacy horse has left the barn.  Technology has far outpaced the capability of an individual to control where his or her information flows.  Expecting to both receive service from an online provider, and to remain “private” (whatever that means) from the provider, is unreasonable- and in fact denying the provider the right to log prevents the provider from systematically improving service to you.  Logging is a best practice for administrative activity, including maintenance-related activities, marketing & service planning, and security-related activities such as forensics.  Everything generates logs nowadays.  It would probably be better to write laws restricting what can be done with logs rather than to outlaw logging.  In this manner you could mitigate abuses such as those by the ambulance chasers but still provide organizations of all sorts, including the government itself, the information they need to do their jobs.


 

Categories: Laws, News, privacy, Rants Tags: