2. In an event when administrator account and password are shared by more than one person, is it is possible to prove who cleared the security logs?
3. If there is no keyboard monitoring is there a way to prove from which PC the delete came from?
4. Can a schedule a task be run in advance to delete the security logs at a later point of time in Window 2003 using utilities like WMI, powershell etc?
5. In Windows 2003 servers, Microsoft allows 2 remote connections and 1 console session also called session 0. What is session 0 ans when is this launched?
6. Can security and the system logs on the server be deleted remotely from any other server in windows 2003 if the account has admin rights? Please comment if firewall setting needs to be enabled in window 2003.&nb
Hi Dhomya,
1. Login, Clear Logs and log off events in Windows 2003 when does this happen and what are the IDs for these events ? what is the system login?
You can find logon and logoff event IDs in the article below:
Audit logon events
https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
System logon event IDs are the same except the account name would be different.
The event for clear logs would be Event 517.
Event Message:
https://technet.microsoft.com/en-us/library/cc957086.aspx?f=255&MSPPError=-2147217396
2. In an event when administrator account and password are shared by more than one person, is it is possible to prove who cleared the security logs?
No, it is not possible.
3. If there is no keyboard monitoring is there a way to prove from which PC the delete came from?
You may need to use Network Monitor to capture real time network traffic to determine this.
4. Can a schedule a task be run in advance to delete the security logs at a later point of time in Window 2003 using utilities like WMI, powershell etc?
Yes, it is possible.
Clear an Event Log
https://technet.microsoft.com/en-us/library/cc722318.aspx?f=255&MSPPError=-2147217396
Script to Clear (and Save) Event Logs
http://blogs.msdn.com/b/jjameson/archive/2011/03/01/script-to-clear-and-save-event-logs.aspx
5. In Windows 2003 servers, Microsoft allows 2 remote connections and 1 console session also called session 0. What is session 0 ans when is this launched?
Please refer to this blog:
Application Compatibility - Session 0 Isolation
6. Can security and the system logs on the server be deleted remotely from any other server in windows 2003 if the account has admin rights? Please comment if firewall setting needs to be enabled in window 2003.
Yes it is possible as long as the account has required permissions and there is no firewall rules blocking network packets.
Best Regards,
Amy
Can security and the system logs be viewed remotely from another server if the firewall setting is enabled at the remote server?
Hi Dhomya,
Its possible, which depends on how firewall rules are configured.
Best Regards,
Amy
I have noticed there are 2 firewall exceptions a) Remote Desktop and b) Remote administration. Will i be able to view the System/Security logs as long as Remote Desktop is enabled?
Can security and the system logs be managed remotely from another server if the firewall setting is enabled at the remote server with the exception rule of "REMOTE DESKTOP" enabled as long as the user account with the admin rights is permissible?