Auditing Users and Groups with the Windows Security Log

by Randall F. Smith
Sept. 1, 2017 0 comments TechGenix Apps & Hardening windows client security

New user accounts are important to audit to verify that they correspond to a legitimate employee, contractor or application. Outside intruders often create new user accounts to facilitate continued access to the penetrated system. Certain changes to user accounts are important to audit since they can be a tip-off to compromised accounts. For instance, both insider and outsider computer criminals often gain access to a system by socially engineering the help desk to a user’s password. Or a previously disabled account being re-enabled may be suspicious depending on the history and type of the account. Group changes, especially changes to the group’s membership, are very useful to track since groups are used to control access to resources, link security policies and control wireless and remote access all over a Windows network. Changes to an organizational unit‘s Security tab usually corresponds to delegation of administrative authority over that OU but also occurs when you change norm...