Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Empty Security Event Log

  1. #1
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378

    Empty Security Event Log

    While reviewing my weekly log greps, I noticed a machine conspicuously missing from the usual audit logs. I logged into the machine (XP SP2 w/auto updates) and sure enough, the security event log under Event Viewer is completely empty. Usually there are many Success Audit messages in the event log. None. Nada. Has anyone ever seen this before? My radar is up.

    I checked the local security policies on the machine via secpol.msc and noticed all audits have been disabled.

    Disconnected the workstation from the network and did a complete scan with various tools. nothing. clean.

    Several contractors use this workstation. None have admin privs.

    Since I didnt change the local policy and you need to be admin to change it, either an m$ update changed it or this machine has been compromised.

    Any comments/suggestions would be appreciated.

    csr
    In God We Trust....Everything else we backup.

  2. #2
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Any other groups\users in the local admin group??


    Is it possible they "cracked" the local admin password?? Physical access and all :shock:

    covering tracks comes to mind here

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #3
    Yeah, sounds like someone cracked the admin password, then erased the logs to cover their tracks. I'd disable the CD drive, floppy drive, and any bootable device (even USB)other than the harddrive. Normally, I end up taking the hardware itself out on computers issued to contractors.

    Either that, or it's a simple policy violation, where someone who knew the Admin password gave it to whoever cleared the logs to hide the fact that he logged into the Admin account in the first place. Find out who gave out the password, and give that person a stern talking to. What usually happens is that someone who shouldn't have admin access probably told an admin that "I need admin access to do my job properly", and things fell apart in short order.

    Oh, and change the admin password if you haven't already (which I'm sure you have).

  4. #4
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Just a thought....its not being filtered is it???

    Something to check

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  5. #5
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    No. only admin in admin.

    Is it possible they "cracked" the local admin password??
    That's what I am thinking. It's possible, but it's pretty strong. Brute force would not be practical, but hey, anything is possible.

    I am tempted to put it back on the network with a keylogger and packet sniffer to try to locate the varmint. Kinda pisses me off that it's probably someone "in-house".
    In God We Trust....Everything else we backup.

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    you may have missed my post...as I think we may have been posting at the same time

    The log is not being filtered is it?/

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    The log is not being filtered is it?/
    No. (Didnt know you could do that. Had to research it. Cool. Could have used that in the past. Learn something new everyday! Thx).
    In God We Trust....Everything else we backup.

  8. #8
    AO's Filibustier Cheap Scotch Ron's Avatar
    Join Date
    Nov 2008
    Location
    Swamps of Jersey
    Posts
    378
    Either that, or it's a simple policy violation,
    I am hoping this is the issue. Easier to deal with.
    In God We Trust....Everything else we backup.

  9. #9
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I use it all the time to search out stuff...and some time forget to turn off the filter...

    Doesnt account for the change in local policy though...

    single malt morgan
    How people treat you is their karma- how you react is yours-Wayne Dyer

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    If you manually clear the security log, there will always be one message left. This says who cleared it. If that one doesn't exist either the security logs were never used or the eventlog got corrupted.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Similar Threads

  1. Security Policy Model Creation for a Networked World
    By tenzenryu in forum The Security Tutorials Forum
    Replies: 11
    Last Post: November 4th, 2005, 07:10 PM
  2. Internet Security for the "newbies"
    By .:|Mymx|:. in forum AntiOnline's General Chit Chat
    Replies: 4
    Last Post: May 24th, 2003, 10:37 AM
  3. NEWS: This weeks security news. 10/2/02
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: October 2nd, 2002, 09:32 PM
  4. NEWS: This weeks security news
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: September 25th, 2002, 08:53 PM
  5. Latest SANS Update
    By xmaddness in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: May 29th, 2002, 09:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •