Distinguishing malicious logon failures from innocent logon failures is challenging for a variety of reasons:
• The logon failure codes in the security log are the same whether the user mistyped his password or an attacker is trying to guess the password
• Some Windows clients and applications make more than one logon attempt per user attempt thus inflating the number of innocent logon failures
• Windows logs logon failures 2 different ways on 2 different systems
• Confusion over the meaning of logon failure codes
In this real training (TM) webinar I first acquaint you with the 2 different audit categories used for tracking logon failures – Logon/Logoff and Account Logon and show you the difference between the 2.
In this webinar I’ll be using Windows Server 2008 for demonstrations and feature its new 4 digit event IDs but I will be sure to point out the corresponding 3 digit event IDs in Windows Server 2000/2003 and note any other differences between these versions of Windows.
Next I’ll share my tips for building your alert rules and reports to try to recognize malicious logon failures that indicate an attack. We’ll use a variety of techniques – some simple and others that require some sophisticated analysis logic from your log management solution. This will be real training on a very important area of the Windows security log.
Title: Detecting Suspicious Logon Attempts with the Windows 2008 and 2003 Security Logs
Date: Wednesday, February 4, 2009 12:00 PM - 1:00 PM EST
To make this webinar possible your registration data will be shared with our sponsor.
This is real training.
Reserve your Webinar seat now at:
https://www2.gotomeeting.com/register/974277065
Thanks as always for reading and best wishes on security,
Randy Franklin Smith
Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2008 Monterey Technology Group, All rights reserved. You may forward this email in its entirety but all other rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.
No comments:
Post a Comment