Gaps in Security Log

Written by on Wednesday, March 5, 2008 6:28 - 0 Comments

You found a gap of several hours in your Security log, what does it mean?

You’re reviewing the Security log on a Windows server and notice a 12 hour gap where there were no events logged. Could someone have hacked your server and tried to erase their tracks? Or was it simply a glitch of some kind, or a botched cover up of improper actions by another admin?

Start by looking at the events right at the end of the gap. Event 512 indicates that the server is booting up, so it may simply be that the server was down for 12 hours. Event 612 incidates that the audit policy on the machine was changed, usually by a GPO, so check and make sure that another admin hasn’t done something they shouldn’t have.

You might think that Windows Security logs are totally secure, but there’s actually a free tool called WinZapper that let’s someone with admin access erase any events they want to from the Security Log. One way to prevent rogue admins from using this tool on your servers is to implement a Software Restriction Policy using Group Policy that prevents the WinZapper executable from running. ')}

Article written by

Leave a Reply

You must be logged in to post a comment.

2003 server - Sep 30, 2008 22:34 - 0 Comments

instant messaging srv records

More In Computers & PC

Microsoft Outlook - Mar 22, 2009 11:22 - 0 Comments

Outlook: Duplicates in Mailbox

More In Computers & PC