Posts Tagged ‘Gaps in Security Log’
2003 server - Wednesday, March 5, 2008 6:28 - 0 Comments
Gaps in Security Log
You found a gap of several hours in your Security log, what does it mean?
You’re reviewing the Security log on a Windows server and notice a 12 hour gap where there were no events logged. Could someone have hacked your server and tried to erase their tracks? Or was it simply a glitch of some kind, or a botched cover up of improper actions by another admin?
Start by looking at the events right at the end of the gap. Event 512 indicates that the server is booting up, so it may simply be that the server was down for 12 hours. Event 612 incidates that the audit policy on the machine was changed, usually by a GPO, so check and make sure that another admin hasn’t done something they shouldn’t have.
You might think that Windows Security logs are totally secure, but there’s actually a free tool called WinZapper that let’s someone with admin access erase any events they want to from the Security Log. One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running.
Article written by MyComputerAid.com