security event logs
1. Login, Clear Logs and log off events in Windows 2003 when does this happen and what are the IDs for these events ?  what is the system login?
2. In an event when administrator account and password are shared by more than one person, is it is possible to prove who cleared the security logs?
3. If there is no keyboard monitoring is there a way to prove from which PC the delete came from?
4.  Can a schedule a task be run in advance to delete the security logs at a later point of time in Window 2003 using utilities like WMI, powershell etc?
5. In Windows 2003 servers, Microsoft allows 2 remote connections and 1 console session also called session 0. What is session 0 ans when is this launched?
6.  Can security and the system logs on the  server be deleted remotely from any other server in windows 2003 if the account has admin rights? Please comment if firewall setting needs to be enabled in window 2003.&nb
February 24th, 2015 5:25pm

Hi Dhomya,

1. Login, Clear Logs and log off events in Windows 2003 when does this happen and what are the IDs for these events ?  what is the system login?

You can find logon and logoff event IDs in the article below:

Audit logon events

https://technet.microsoft.com/en-us/library/cc787567%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

System logon event IDs are the same except the account name would be different.

The event for clear logs would be Event 517.

Event Message:

https://technet.microsoft.com/en-us/library/cc957086.aspx?f=255&MSPPError=-2147217396

2. In an event when administrator account and password are shared by more than one person, is it is possible to prove who cleared the security logs?

No, it is not possible.

3. If there is no keyboard monitoring is there a way to prove from which PC the delete came from?

You may need to use Network Monitor to capture real time network traffic to determine this.

4.  Can a schedule a task be run in advance to delete the security logs at a later point of time in Window 2003 using utilities like WMI, powershell etc?

Yes, it is possible.

Clear an Event Log

https://technet.microsoft.com/en-us/library/cc722318.aspx?f=255&MSPPError=-2147217396

Script to Clear (and Save) Event Logs

http://blogs.msdn.com/b/jjameson/archive/2011/03/01/script-to-clear-and-save-event-logs.aspx

5. In Windows 2003 servers, Microsoft allows 2 remote connections and 1 console session also called session 0. What is session 0 ans when is this launched?

Please refer to this blog:

Application Compatibility - Session 0 Isolation

http://blogs.technet.com/b/askperf/archive/2007/04/27/application-compatibility-session-0-isolation.aspx

6.  Can security and the system logs on the server be deleted remotely from any other server in windows 2003 if the account has admin rights? Please comment if firewall setting needs to be enabled in window 2003. 

Yes it is possible as long as the account has required permissions and there is no firewall rules blocking network packets.

Best Regards,

Amy

Free Windows Admin Tool Kit Click here and download it now
February 27th, 2015 11:20am

Can security and the system logs be viewed remotely from another server if the firewall setting is enabled at the remote server?

February 27th, 2015 11:23am

Hi Dhomya,

Its possible, which depends on how firewall rules are configured.

Best Regards,

Amy

Free Windows Admin Tool Kit Click here and download it now
February 28th, 2015 3:07am

I have noticed there are 2 firewall exceptions a) Remote Desktop and b) Remote administration. Will i be able to view the System/Security logs as long as  Remote Desktop is enabled?  

Can security and the system logs be managed remotely from another server if the firewall setting is enabled at the remote server with the exception rule of "REMOTE DESKTOP" enabled as long as the user account with the admin rights is permissible? 

February 28th, 2015 6:49am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics