Win2K logs event ID 517 (audit log was cleared) whenever someone clears the Security log. (Win2K records this event in the new log.) Event ID 517 might reveal intruders who tried to cover their tracks.
Win2K logs several other events at system startup. The OS logs an occurrence of event ID 515 (trusted logon process has registered with the LSA) for each logon process that starts. (Logon processes, a component of the Win2K security subsystem, handle logons.) Win2K also logs an occurrence of event ID 514 (authentication package has been loaded by the LSA) for each authentication package that the OS loads. (Authentication packages support various authentication protocols such as Kerberos, NT LAN Manager—NTLM—and Secure Sockets Layer—SSL.) The OS logs an occurrence of event ID 518 (the SAM has loaded a notification package) for each notification package that Win2K loads; the standard notification packages are scecli, kdcsvc, and rassfm. (Notification packages are special DLLs that you can develop and install to synchronize passwords with other systems or to implement special password rules. However, attackers can use notification packages to steal passwords. Question any nonstandard notification packages, which could be Trojan horses.)
A Well-Rounded Arsenal
Win2K provides an impressive array of auditing facilities, including several enhancements over NT auditing. However, Win2K auditing also includes some significant bugs, and Win2K's Group Policy application process means that you can't always identify who changed a policy because administrators no longer make policy changes directly. If complete and accurate auditing is important to you, let Microsoft know that it needs to fix these bugs and that Win2K needs more granular auditing of policy changes that occur through GPOs.
Register
