Results for (182)

With so much focus on security these days, you’d think IT would be winning the battle against malware and other threats. But all too often, a lack of focus on certain areas of the network leads to a decrease in an organization’s security posture an...

Email remains one of the most heavily used communications mediums within organizations today. With as much as 75 percent of your organization’s intellectual property stored in email[1], Microsoft Exchange is for all practical purposes a treasure trov...

Keeping malware off and external threat actors out of your network is definitely important. But equally important is considering how to protect your network if a threat does find its way in.One of the first goals of any external threat actor after it...

Every year, organizations spend millions of frustrating hours and countless sums of money trying to reverse the damage done by malware attacks. The harm caused by malware can be astronomical, going well beyond intellectual property loss and huge fine...

Dell Software is my longest time sponsor and has made possible many hours of my real training for free ™ webinars. We don’t usually give them much time to talk about their products on my webinars and they are really nice about that. So I ...

Note: This is part of an occasional series called “How Randy & Co Do It”. We are a small but technology-heavy shop. We have a lot of servers, strict security requirements and a dispersed workforce. I also dabble and tinker a lot so because of tha...

This month I’m going to zero in on a specific area of audit logging that creates no end of confusion, and that is the difference between 2 categories in the Windows security log: Account Logon events and Logon/Logoff events. These 2 categories ...

I’ve been noticing a lot hype about security risks with the rise of virtualization and much of it vague and short on specifics. Also much of it seems to assume all the security we’ve built up on a physical server goes out the window when you mi...

In conjunction with integrating SolarWinds Log and Event Manager (LEM) with my LOGbinder software I had an opportunity to get to know LEM and I thought I’d share some of the highlights of what I discovered. Click here to download LEM now! For ...

One of the next coming of age moments for audit log management is automating more of the review and response tasks associated with security events. Right now we tend to expect log management SIEM solutions to scour logs, identity high-impact ch...

You just can’t cut corners today. In fact you need to be very careful about even “optimizing” your security efforts because it’s so easy misjudge what needs to be secured and what doesn’t; what deserves your attention and what doesn’t. In fact ...

I recently spent some time with Trent Heisler at LogRhythm getting an update on their new LogRhythm 4.0 log management solution. LogRhythm is one of my site’s sponsors and I think you will find as I have that the log management/SEM vendors that...

Security standards and auditors make much of reviewing logs for malicious activity and I am constantly asked for event signatures indicative of intrusions or even more simplistically some ask “What are the top Event IDs for intrusion detection?” ...

This article was first published at Lumension’s Optimal Security blog: http://blog.lumension.com/6588/9-mistakes-apt-victims-make/A couple years ago, Bruce Schneier said that against an APT attacker, “the absolute level of your security is what's imp...

Originally published at Lumension.com http://blog.lumension.com/4804/chances-are-someone-is-trying-to-steal-your-organizations-information/ Chances are someone is trying to steal your organization’s information. Instead of expending all your effo...

Originally published at Lumension.comhttp://blog.lumension.com/4804/chances-are-someone-is-trying-to-steal-your-organizations-information/ Chances are someone is trying to steal your organization’s information. Instead of expending all your effort in...

Originally published at Lumension.comhttp://blog.lumension.com/4804/chances-are-someone-is-trying-to-steal-your-organizations-information/ Chances are someone is trying to steal your organization’s information. Instead of expending all your effort in...

Dave Pack from LogRhythm dropped in to see me at the UltimateWindowsSecurity.com booth (come see us at booth 2240 South hall) booth here at RSA. As you know LogRhythm has been sponsoring my real training for free webinars for many years and is ...

This article was first published at Lumension’s Optimal Security blog: http://blog.lumension.com/6036/growing-threat-from-friendly-fire-from-vendors/ After we learned that Flame exploited Microsoft’s Auto Update infrastructure, I pointed out that if...

Originally posted at Lumension.comWhenever I think about detecting and defending against today’s sophisticated threats I keep coming back to the same question, “How do you distinguish legitimate activity from malicious?”. That is not an easy quest...

Originally published at Lumension.comhttp://blog.lumension.com/4675/the-year-i-started-being-afraid/I’ve been in IT since I was a kid. I was a real, stereotypical nerd. While other computer nerds were learning to program games, I turned up my nose ...

Duo Security is a cloud-based 2-factor authentication service that I’ve been following for some time. I sat down with Ash at the UWS booth here at RSA. (#2240 South Hall). Here's the #1 thing you need to know about Duo Security. &nb...

It was a fascinating week at the SANS Log Management Summit. We heard from many different users who shared their experiences and lessons learned from log management efforts. Allen Paller did a great job of facilitating and moderating each sessio...

I never have to convince people that monitoring Domain Controller security logs is important. With member servers on the other hand I sometimes have to explain why those security logs are important but that’s not difficult because folks, and ...

Maybe Quiet Riot isn’t your band (OK, the song was originally a 1973 Slade hit but come on, I was only 3) but that line describes the Windows security log so well. There’s no getting around the fact that there are a lot of useless and inexplica...

Log collection, SIEM and security monitoring are the journey not the destination. Unfortunately, the destination is usually a false positive. This is because we’ve gotten very good at collecting logs and other information from production systems, fil...

Windows supports the digitally signing of EXEs and other application files so that you can verify the provenance of software before it executes on your system. This is an important element in the defense against malware. When a software publisher lik...

All the way back in the late 90’s I realized that passwords, even for myself, were a big vulnerability. With more websites requiring logins I realized that my multiplying “Post-It Note” situation was not going to work. This left me two options: A p...

Ransomware has burst onto the scene with high profile attacks against hospitals and other organizations. How do you detect ransomware? Ransomware is just another kind of malware and there’s nothing particularly advanced about ransomware compared to o...

Darin Pendergraft from SecureAuth stopped by the UltimateWindowsSecurity booth (South 2240). Visit SecureAuth in the South Hall at booth 2107 and be sure to see their interactive product demo using the Oculus Rift!Randy: Alright so we’re back a...

I have 2 rules of thumb when it comes to audit logging. First, if it has a log I recommend enabling it – as simple as that. The only exceptions are prohibitively verbose logging options associated with debugging or the surprisingly rare c...

Intrusion detection and compliance are often the focus of log management/SIEM efforts and security logging in general. But security logs (when managed correctly) are also the only control over rogue admins. Why do I say that? Well...

Unstructured data access governance is a big compliance concern. Unstructured data is difficult to secure because there’s so much of it, it’s growing so fast and it is user created so it doesn’t automatically get categorized and controlled like struc...

Defense-in-depth pretty much backs up the thought that every security technology has a place. But are they all created equal? Security is not a democratic process and no one is going to complain about security inequality if you are successful in stop...

This article was first published at Lumension’s Optimal Security blog: http://blog.lumension.com/6684/anatomy-of-reflective-memory-attacks/ Ophiocordyceps unilateralis is a parasitiodal fungus that, beginning with a microscopic spore, infects a certa...

Service Account Attack #4: Golden TicketsIn this blog series, we’ve focused on ways to find and compromise Active Directory service accounts. So far, this has led us to compromise accounts which grant us limited access to the services ...

Interest continues to build around pass-the-hash and related credential artifact attacks, like those made easy by Mimikatz. The main focus surrounding this subject has been hardening Windows against credential attacks, cleaning up artifacts left behi...

Ransomware is about denying you access to your data via encryption. But that denial has to be of a great enough magnitude create sufficient motivation for the victim to pay. Magnitude of the denial is a factor Value of the encrypted copy of the dat...

Security is an ever-escalating arms race. The good guys have gotten better about monitoring the file system for artifacts of advanced threat actors. They in turn are avoiding the file system and burrowing deeper into Windows to find places to store t...

Computers do what they are told whether good or bad. One of the best ways to detect intrusions is to recognize when computers are following bad instructions – whether in binary form or in some higher-level scripting language. We’ll talk about scripti...

This article was first published in EventTracker’s EventSource Newsletter: http://www.eventtracker.com/newsletters/using-dynamic-audit-policy-to-detect-unauthorized-file-access/ One thing I always wished you could do in Windows auditing was mandate t...

This article was first published in EventTracker’s EventSource Newsletter: http://www.eventtracker.com/newsletters/how-to-use-process-tracking-events-in-the-windows-security-log/I think one of the most underutilized features of Windows Auditing and...

If attackers can deploy a remote administration tool (RAT) on your network, it makes it so much easier for them. RATs make it luxurious for bad guys; it’s like being there on your network. RATs can log keystrokes, capture screens, provide RDP-like re...

Windows audit policy has evolved for 20 years and many people at Microsoft have come on gone. The result is what one Microsoftie describes as “good”. See: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-po...

No matter how big or small you are, whether you have budget or not – you need to be monitoring changes in Active Directory. There are awesome Active Directory audit solutions out there. And ideally you are using one of them. But if ...

Service Account Attack #2: Extracting Service Account PasswordsIn our first post, we explored how an attacker can perform reconnaissance to discover service accounts within an Active Directory (AD) domain. Now that we know how to find service ac...

This article was first published in EventTracker’s EventSource Newsletter: http://www.eventtracker.com/newsletters/following-a-users-logon-tracks-throughout-the-windows-domain/ In this article, I’ll show you the security events that get logged when a...

Had many, many valuable conversations with colleagues in DC a couple weeks ago at HP Protect 2013 about auditing and monitoring SharePoint, SQL Server and Exchange. This is a tough subject because there are so many details. You can’t just...

We are pleased to announce the release of LOGbinder SP 3.0. The fundamentals of LOGbinder remain the same. It continues to support SharePoint 2007 and SharePoint 2010, Foundation (WSS), Standard, and Enterprise editions. While nothing was removed fro...

Chances are you’ve heard about the network administrator, Terry Childs, who reportedly held the City of San Francisco’s network hostage last week rather than sharing access with fellow IT folks. Clearly, this was a management issue first and for...

Moving Exchange to the Office 365 cloud eliminates a lot of work but it doesn’t eliminate your compliance responsibilities or security requirements. To be compliant and to detect information grabs and data theft you need 2 critical feeds of activity ...

Sometimes we get hung up on event monitoring and forget about the “I” in SIEM which stands for information. And that’s important because there are more sources of non-event security information that your SIEM should be ingesting and correlating with ...

This article was first published in EventTracker’s EventSource Newsletter:http://www.eventtracker.com/newsletters/auditing-file-shares-windows-security-log/#openOver the years, security admins have repeatedly ask me how to audit file shares in Wind...

As I write this yet another ransomware attack is underway. This time it’s called Petya and it again uses SMB to spread but here’s the thing. It uses an EXE to get its work done. That’s important because there are countless ways to infect systems, wit...

indows gives you several ways to control which computers a given account can logon to. Leveraging these features is a critical way to defend against persistent attackers. By limiting accounts to appropriate computers you can Enforce written policies...

AD Attack #3 – Ntds.dit ExtractionWith so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other more serious and effective attacks are often overlooked. One such attack is focused ...

Stealing Credentials with MimikatzMimikatz is an open-source tool built to gather and exploit Windows credentials. Since its introduction in 2011 by author Benjamin Delpy, the attacks that Mimikatz is capable of have continued to grow. Also, the...

Recently Thycotic sponsored a webinar titled "Kali Linux: Using John the Ripper, Hashcat and Other Tools to Steal Privileged Accounts". During the webinar Randy spoke about the tools and steps to crack Active Directory domain accounts. He...

Effective security log monitoring is a very technical challenge that requires a lot of arcane knowledge and it is easy to get lost in the details. Over the years, there are 4 things that stand out to me as fundamentals when it comes to keeping the bi...

It’s been a huge project to record, edit, embellish and enhance but we are finally done. My 3-day Security Log Secrets course on the Windows Security Log is now available in my unique On-Demand, Interactive format. We call it “on-demand” ...

It doesn’t rhyme and it’s not what Whittier said but it’s true. If you don’t log it when it happens, the evidence is gone forever. I know personally of many times where the decision was made not to enable logging and was later regretted when somethin...

To be even better, your SIEM needs more intelligence without noise. Like the universe we live in, the area that must be monitored for APTs constantly expands. It is hard to focus on the significant security events when the field of view keeps getting...

Cloud security is getting attention and that’s as it should be. But before you get hung up on techie security details like whether SAML is more secure than OpenID Connect and the like, it’s good to take a step back. One of the tenets of information s...

How do you figure out when someone was actually logged onto their PC? By “logged onto” I mean, physically present and interacting with their computer. The data is there in the security log but it’s so much harder than you’d think. First of all, whil...

There’s plenty of interest in all kinds of advanced security technologies like threat intelligence, strong/dynamic authentication, data loss prevention and information rights management. But so many organizations still don’t know one of the basic ind...

Most of my training's are delivered online – they’re convenient to you and me in our busy schedules. But I have to make time for The Experts Conference (TEC) because its one of the few conferences where you can get actual Active Directory train...

I’ve always tried to raise awareness about the importance of workstation security logs. Workstation endpoints are a crucial component of security and the first target of today’s bad guys. Look at news reports and you’ll find that APT attacks and outs...

Hi folks. If you are wondering how many computers on your network have QuickTime installed and how to get rid of it, I’ve got some help for you in the form of a video, PowerShell script, AppLocker policy and free tools from SolarWinds. If...

AD Permissions Attack #3: Persistence using AdminSDHolder and SDPropNow that we’ve compromised privileged credentials by exploiting weak permissions, it’s time to make sure we don’t lose our foothold in the domain. That way, even if the accounts...

We hear a lot about tracking privileged access today because privileged users like Domain Admins can do a lot of damage but more importantly if there accounts are compromised the attacker gets full control of your environment.In line with this concer...

I’m a big believer in security analytics and detective controls in general. At least sometimes, bad guys are going to evade your preventive controls and you need the critical defense-in-depth layers that detective controls provide through monitoring ...

There are 5 different ways you can logon in Windows. We call them logon types. The Windows Security Log lists the logon type in event ID 4624 whenever you logon. Logon type is what allows you to determine if the user logged on at th...

Are you registered for HP Protect 2013? Can you come? I hope to see you there at my LOGbinder booth and at my breakout session #1488 – “Setting traps for malicious outsiders and APTs on your network” HP Protect is next month Sep...

One of the most frequent complaints I hear from you folks is “We need a SIEM but can’t afford the big enterprise solutions.” And as a tech-heavy small business owner I truly understand the need for software that installs in minutes and doesn’t ...

With data breaches and Snowden-like information grabs I’m getting increased requests for how to track data moving to and from removable storage such as flash drives. The good news is that the Windows Security Log does offer a way to audit removable s...

SolarWinds Log and Event Manager provides connectors for common log sources that understand how to translate raw events from a specific log source into their equivalent normalized event type. I love event normalization like SolarWind’s LEM beca...

I found some pretty cool stuff at RSA. Some new technologies that I’ve never thought of before and others that are just as fun as they are valuable.More Fun with Hard Drive DestructionFun and an effective solution to a vexing problem – old hard drive...

Endpoint malware is getting more and more sophisticated and more and more vendors and content/file types are being targeted. The signature based model of classic antivirus (AV) and the teams and infrastructure behind it are increasingly stretched t...

I’ve perused the National Institute of Standards and Technology draft Guide to Computer Security Log Management (Special Publication 800-92) and have some thoughts to share. (You can find the guide at http://csrc.nist.gov/publications/nistpubs/8...

As more and more information and processes move to SharePoint, it becomes critical for compliance and security requirements to monitor and audit SharePoint activity. I was very excited when I first learned about the SharePoint audit log but I quickl...

There are a LOT of authentication companies at RSA 2015 this year. It’s been fun learning the difference between them – and there are big differences. Arshad Noor from open source company StrongAuth (South Hall booth 2332), came by t...

I am excited to announce the release of our latest audit logging agent over at LOGbinder.com... Introducing LOGbinder SQL Our LOGbinder SQL agent enriches SQL Server’s cryptic and generic audit messages to produce easy-to-understand audit log event...

I'm excited to announce that my software company, LOGbinder, has just released LOGbinder SQL as beta. If you need audit logging for SQL Server you will be interested to know about SQL Server 2008's new audit foundation and how LOGbinder SQL all...

This code signing hack at Adobe and the available information still leave a lot of unanswered questions. No one I’ve talked to has been able to get to the bottom of it. Here’s what have put together. One of their code-signing servers g...

I am excited to announce that my first On Demand, Interactive course – Audit and Assessment of Active Directory – is now finished and ready for the first trainees. And you have an opportunity to get this training for free if you agree to keep r...

Patch management is changing fast. Patching used to be primarily a Windows and MS Office thing. But as Microsoft has improved their patch process and released tools to help enterprises manage patches, the bad guys have been forced to turn...

Recently Thycotic sponsored a webinar titled "Kali Linux: Using John the Ripper, Hashcat and Other Tools to Steal Privileged Accounts". During the webinar Randy spoke about the tools and steps to crack local windows passwords. Here are th...

I’m frequently asked what the best audit policy is Windows. As you know there are 9 different audit policies you can enable for Success and/or Failure. While I recommend some of those policies be enabled no matter what there are others that depe...

I’m excited to announce the release of LOGbinder EX for Exchange Server which bridges the gap between Exchange and your SIEM. With today’s ever-growing compliance burden and threat-scape, obtaining visibility into the dominant messaging platf...

SharePoint audit policy is widely regarded as a site collection level setting leading many to believe you must apply one audit policy to all objects in the entire site collection. If that were the case you would run into some real granular...

Sometimes I wonder and today I wonder even more. I've been a Microsoft MVP for years and I just got the email you see below. Of course they don't really explain. Last year I did everything I have in the past and more - yet they say the M...

With 2008, SQL Server finally has a real audit log capability. It’s flexible, high performance and can report its events directly to the Windows Security Event Log which means you can leverage the security and integrity of the security log AND ...

The value of the Authenticated Users special principal is overrated. This is especially true with regard to the common recommendation to replace occurrences of the Everyone special principal in ACLs with Authenticated Users. This recommendation ...

Right or wrong, Syslog remains the de facto standard protocol for log forwarding. Every SIEM and log management solution in the world accepts syslog. So frequently you run into the situation of needing to forward Windows events via syslog. But Window...

Yesterday, Microsoft gave its monthly advance notification of security bulletins ahead of this coming Patch Tuesday. There are 2 new vulnerabilities in Windows and I bet you they are workstation-centric. Have you noticed what I’ve noticed? T...

Wow I just got off the phone with a prospective customer helping them to determine if out LOGbinder SP product would integrate with their SIEM solution (it did and does with all SIEM solutions). During the call they told me something I found ...

We just released a new and free edition of Supercharger for Windows Event Collection which you can get here. There are no time-outs and no limits on the number of computers you can manage with Supercharger Free. I wanted to include more than...

Sudo is awesome and so is every other technology that helps you implement least privilege over admins. But at the end of the day you are just getting more granular with the risk but the risk is still here. Take a help desk staffer who needs to handle...

Much of the security and control of an enterprise IT environment rests on Active Directory. It provides authentication and access control for Windows users and applications, as well as for UNIX, Linux and mainframes. Even VPNs, ...

For compliance and protecting root access on UNIX and Linux you can’t live without sudo. I’ve written and done several webinars recently on how to implement sudo so that no one ever logs on with rootyou can implement least privilege instead making e...

Like UNIX, at its core, Linux’s secure model is basically monolithic. You either have root access or you don’t. But root access is too powerful for so many reasons. And routinely using the actual root account – while easy and still frighteningly comm...

I’m very impressed with the Active Directory integration found in LogRhythm 5.0. This represents a new frontier in log management maturity. The new AD integration in LogRhythm 5.0 allows you to combine information from Active Directory wi...

Dominant impression: "If you can’t say it, you don’t know it." So many booths; so little idea of what they do. I know they don’t do everything.None of us do. Not even the titans of the infosec industry. So one of us: either yours truly or the i...

Dominant impression: “If you can’t say it, you don’t know it.” So many booths; so little idea of what they do. I know they don’t do everything. None of us do. Not even the titans of the infosec industry. So one of us: either yours truly or th...

Here’s another cool thing I found, this time at Redseal’s South Booth 1107. Their software collects configuration and state data from all your routers, firewalls and switches and builds an incredible visualization of your network and its struct...

In previous webinars I showed how to control what privileged authority is in Linux and UNIX. With sudo you can give admins the authority they need without giving away root and all the security risks and compliance problems caused by doing so. Bu...

As most of you know Microsoft released early this morning a security advisory for that Excel vulnerability. http://www.microsoft.com/technet/security/advisory/921365.mspx The reason I’m writing this blog is because I want to make the poi...

Venue announced: Hilton Los Angeles North/Glendale & Executive Meeting Ctr 100 West Glenoaks Blvd Glendale, CA United States, 91202 Tel: 818-956-5466 Fax: 818-956-5490 Many of you have expressed interest in my Security Log Secrets in-person t...

I am very excited today to announce the beta release of LOGbinder SP - my first software solution aimed at expanding the reach of log management. LOGbinder SP allows you to audit security events in SharePoint with the Windows Security Log. Why do I n...

I was just reading about the CEO of Lieberman Software and his rant about RSA SecurID. Talk about kicking them when they're down! He reportedly accuses RSA of letting SecurID languish. I don't know if RSA has done that or not. ...

As you know I view compromised user endpoints (aka workstations and laptops) as the biggest risk facing us today. And that’s why I love application control (aka whitelisting) from UWS sponsors like (Lumension and Bit9+CarbonBlack). But th...

With sudo you can give admins the authority they need without giving away root and all the security risks and compliance problems caused by doing so. But once you carefully delegate limited, privileged authority with sudo you still need an audit trai...

I was amazed when I saw the Beijing Zhongguancun Overseas Science Park (Elephant #1) in the North expo hall. Some folks come out and say it and some use euphemisms but when people talk about APT actors, that boogeyman is commonly ...

Windows is the largest and most widely used operating system in the world. Security is arguably the most demanding discipline within the field of IT. Combine Windows and Security and for some you have an oxymoron. Regardless how you feel...

I know from the emails I receive and site stats that hundreds of thousands of people over the years have made use of the information at UltimateWindowsSecurity.com. I’m excited to announce that we have made some major updates. 1. ...

UNIX and Linux with sudo is a fact of life. It’s one of the first things auditors look for and it’s the native option for you to protect root from being abused. It’s also the standard way to implement least privilege and enforce accountability over p...

I just wanted to let you all know that I have a few new partners that have joined our SIEM Synergy Partner Program over at LOGbinder.com. I would like to welcome SolarWinds and Prism Microsystems as certified ...

Dynamics CRM 2011 keeps us sane here at Monterey Technology Group, Inc as we manage a wide array of product and service offerings with a handful of people. But CRM is missing some key features that seem like no brainers. Thankfully I've f...

I did a webinar a while back with Paul Henry on “What One Digital Forensics Expert Found On Hundreds of Hard Drives, iPhones and Android Devices” which was sponsored by Blancco Technology Group who makes really cool data erasure software for the ente...

Here’s another find from the South Hall at RSA 2015 I came across (I’d snuck away from the UWS booth while Barry wasn’t looking.) The 2,000+ of you who’ve attended my recent endpoint security webinars know how much I worry about endpoint securi...

Was just messing with BitLocker today. I enabled BitLocker on a Win7 computer that is a member of a domain but before configuring group policy to require BitLocker recovery keys to be backed up to AD before locking the drive. So I enabled the "...

Microsoft just released an official advisory on this vulnerability and the advisory contains 2 good recommendations you might consider to mitigate the threat until Patch Tuesday: 1) Use the Word Viewer to view documents since the viewer isn’...

Prism Microsystems recently announced a free - but real - consolidation and search solution for logs. And it really works. It's called EventTracker PULSE and it's based on Prism's flagship log management solution - EventTracker - which fr...

A couple months ago I did a real training for free (tm) session on Top 11 Dos and Don’ts of Managing Access Control in the Windows/AD Environment and many of you were impressed like me with how Quest Access Manager simplified or eliminated many of my...

Come meet Randy in Orlando at Microsoft Ignite at Quest's Booth #1818Today everything needs to be secure, but you need to start with Active Directory. Because if Active Directory isn’t secure – nothing else in your organization is regardle...

Whenever you encrypt data, you run the risk of losing access to that data if you lose the key. I frequently receive calls for help from frantic admins who upgraded their boss’s PC and can’t access the EFS encrypted data - definitely a case o...

Please help me help you in the coming year. I need your help to determine which security topics to cover and to prioritize my real training for free™ sessions. The survey will take about 15 minutes of your time, but it will make a big impact on what ...

Vulnerability scanning can be a smart way to reduce risk on corporate networks. But, there’s a dark side to vulnerability scanning, too. For instance, scan reports may show that your network is safe when threats still exist. Scanners can also create ...

Microsoft finally released the patch for the very public Word 2000/2002/2003 vulnerability I began blogging about several weeks ago. (http://www.ultimatewindowssecurity.com/blog) Until now your only real protection has been comprehensive and up-...

I have a new technical brief titled "Who, What, When, Where and Why: Tracking the 5 W's of Change in Active Directory, SharePoint, SQL Server, Exchange and VMware". Your organization relies on you to prevent and detect tampering, unauthorized access ...

Vista, Windows 7 and Windows Server 2008 generate a lot of events regarding the Windows Firewall and for most of us in most scenarios this is at best chatter if not down right noise. Here's how to get rid of it. You need to disable all of the a...

Jeff Warren of StealthBits and I were talking about this really cool idea he had a while back About detecting pass the hash attacks with a special kind of honey pot. Jeff is doing a webinar on this on Thursday August 9, 2018 and here’s mor...

A couple hours ago, my Google sidebar lit up with new postings about the new vulnerability in Word, discovered by Symantec, that apparently opens a back door. I am frustrated at the total lack of detail on this so far and no other recommenda...

Today Microsoft released 7 bulletins that cover every supported version of Windows and Office – including the Mac versions of Office. Web server admins will want to pay particular attention to MS06-033 and MS06-034 which impact ASP.NET 2.0 and A...

Just a quick note about the new audit/security log features in Windows 7 and Windows Server 2008 R2: You can finally configure audit subcategories via group policy! No more need for running auditpol scripts on thousands of computers. Glob...

Microsoft licensing is complex, confusing and time consuming. “I just want the license key – legally!”, right? While trying to figure out how I could get a legal copy of Windows 8.1 Enterprise for a friend (they need Windows To Go Creator), I came ac...

I just released two new "How-To" video's on monitoring two important areas with Windows Event Collection.Video 1 - In this 4 minute video, I show you step-by-step how you can use my latest product, Supercharger, to create a WEC susbscription that pul...

Big Data Security Analytics (BDSA) is the subject of exuberant predictions. However, a Gartner analyst points out that no available BDSA solutions come close to these forecasts. Nevertheless, the principles of Big Data are the key to adva...

Just found this document at MS. I’ll post more when I’ve had a chance to review it. If you’ve been reading about BitLocker drive encryption in Vista you may already know that one option for storing recovery keys is in Active Directory. Y...

I’ll be presenting a session entitled “Everything Matters: Every Setting, Every Component, Every Technology” at SecuritySCAPE 2012 which is a really cool IT security virtual event, bringing together industry analysts, thought leaders and IT pro...

I can't believe this. Well, it's Microsoft, so yes I can believe it. Where did the the "Replace auditing entries on all child objects" go in Active Directory Users and Computers? While doing some consulting for a company I just noti...

Just a quick heads up that changes are coming - actually some pretty good sounding enhancements - to auditing in Windows Server 2012. We are finally getting expression-based audit policies which will hopefully make it possible to define super g...

Introducing: LOGbinder SQL - SQL Audit Policy Wizard Our totally free SQL Audit Policy Wizard steps you through the process of implementing SQL Server 2008 auditing. You can use our recommended baseline audit policy or customize it to fit your ...

Many organizations are seeing surges in the amount of unstructured data in their environments, even as new data breaches come to light every week. As a result, those organizations face increased audit and regulatory pressure regarding loose access co...

Over at LOGbinder we've released a new whitepaper explaining how LOGbinder SP is the only recognized solution for providing reliable audit information about the security events of SharePoint via HP ArcSight and how it works with many other SIEMs. Did...

Triathlon, pentathlon, just a few more days of the Summer Olympics are left but there’s one more event happening in mid-September: Randy Franklin Smith’s Quadrathlon. On September 12 I will be taking on the audit logs of Microsoft...

A fellow Microsoft Most Valuable Professional (MVP) and our friends over at MSExchangeGuru recently reached out to me regarding an event being held by Virtual Tech Conference (VTC). VTC is a MVP community with the goal of keeping us all up-to...

That’s how long Austrian based SEC Consult plans to give you to load MS06-029 - Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442) before they release vulnerability and exploit details. My...

We have an added treat in today's real training for free ™ session. 2 of my guests on the webinar will describe their firsthand experience with helping a company recover from NotPetya and their lessons learned so far. All 15,000 employees...

I love Tilana's Continuous Data Protection - it's awesome and now they support running on 64 bit workstations! Beyond efficiently backing up files as soon as they change or are created, Tilana also syncs folders between multiple computers - wor...

I’m excited to be part of SANS’s Log Management 2006 Summit July 12-14, 2006 in Washington DC. I’ll be there presenting sessions along with Eric Fitzgerald from Microsoft. Eric is Microsoft’s resident expert on Windows audit and security log...

This post is to announce my new wiki devoted to all things Windows security related. As of today there are 745 pages that cover the core security settings of Windows and the all new security log in Vista and Windows server 2008. This wiki re...

With as many IE related ActiveX control vulnerabilities we’re seeing, you would be well served to use an administrative template (.ADM file) to push out kill bits via group policy and subsequently roll them back after associated patches are rele...

I'm happy to let you know that with the recent release of LOGbinder SP 3.0 I've updated our Recommended Alerts and Reports for SharePoint (LOGbinder SP) which you can find at http://www.logbinder.com/Resources/. Updates include cover...

I just learned from the EventTracker Newsletter about a new draft recommendations document from the National Institute of Standards and Technology entitled "Guide to Computer Security Log Management". This 64 page document could be an influe...

Just a quick note about a what looks like a pretty bad backdoor to Windows 7's AppLocker and the older Software Restriction Policies. I've just learned about it and will be covering it in greater detail in tomorrow's webinar. It's a backdoor cr...

Jeff Warren really knows AD security and the Windows Security Log. He brings me a lot of good ideas and tips for enhancing my Security Log Encyclopedia. He also really stays up-to-date on the latest cyber attack techniques and thinks abou...

I recently wrote a whitepaper on protecting the unstructured data in your environment. Unstructured data is a critical security risk and compliance concern for organizations. Your company's emails, documents and spreadsheets contain readily dig...

When are they going to make a few fundamental improvements like being able to run multiple processes at the same time so that you can produce in the background while editing another video? I'm getting tired of being loyal to software products, buying...

I recently completed a whitepaper for HP ArcSight that details the available logs in Microsoft Exchange and how you can connect those to HP ArcSight. Even if you are not an ArcSight user you will still want to read this to see which logs are availab...

I just wrote a new whitepaper about SQL auditing. Security analysts must have meaningful, relevant audit data from the mission critical applications such as SQL Server. Database admins must have no disruptions nor degradation to the performanc...

A while back I did a free training webinar on SQL Injection attacks. Applicure sponsored the webinar demonstrated their dotDefender product. I am aware that the vendors I invite to sponsor my training events are a reflection on me and may be in...

Just in case you missed today's webinar you can still get my whitepaper that the webinar was based off of. Click here to download my whitepaper "APT Confidential: 14 Lessons Learned from Real Attacks". Our webinar and whitepaper spo...

Folks, here’s a podcast version of a fascinating webinar I just did with Richard Wang who runs SophosLabs. Richard and his team are on the front line of today’s war against malware. One of the most interesting infosec conversations I’ve had in a long...

The Microsoft Office team is working on a patch for a new vulnerability in Excel. I’ve been unable to find out how bad the exploit is but apparently at least one MS customer has been impacted by the vulnerability. Windows Saftey Live has been up...

Bad news: The back door door does actively connect back to a malicious website (apparently a server in the 3322.org domain) and accepts commands. Good news: It appears that most AV vendors have succedded in getting a signature out. The S...

This is a PowerShell script I developed to use in my own IT audits of Active Directory and for a webinar: 10 Steps to Cleaning Up Active Directory User Accounts and Keeping Them that Way. It outputs a comma-delimited list of user accounts and t...

Is it just me or does the placement of this option automatically necessitate a KB article just so that you can find it?I know. Too much time on my hands... But even an old cynic like me cracks at some point...

This whitepaper by Randy Franklin Smith, provides an overview of the 4 different logs in SharePoint and discusses their relative merits in terms of security value and how to integrate with your SIEM.Click here to download it now....

This whitepaper by Randy Franklin Smith, provides an overview of the 3 different audit logs in Exchange and discusses their relative merits in terms of security value and how to integrate with your SIEM.Download it now here....

Want to hear all about Recent Security Features in Active Directory You Probably Aren't Using? See my presentation at The Experts Conference, Aug 27-28 in Charleston, SC. Use this special reg code for ½ off: 50%OFFTEC!*! https://bit.ly/2DHLcki #TheEx...

Here are links to my recent whitepaper and webinar commissioned by Quest Software. You really do need a reporting solution for Active Directory and this whitepaper and webinar will help you justify the investment. Whitepaper Webinar...

Why managed file transfer mattersThe basics of file transfer security and complianceHow to improve IT agility with managed file transfer automationKey requirements for managed file transfer solutionsDownload now or get your signed copy at booth ...

The customSD registry value doesn't work on Windows Server 2008. Instead you must use the wevtutil command. See my updated article at http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Manage-auditing-and-security-log...

Quest Software's Kirk Munro and I got together and solved 3 security headaches with this new PowerGUI PowerPack. And did I mention it's free? http://www.ultimatewindowssecurity.com/tools/wspowerpack/ ...

Password Management: Top Ways to Deal with the Necessary Evil - http://www.ultimatewindowssecurity.com/webinars/register.aspx?id=79 ...

The venue has been announced for my upcoming SLS class in LA. Please click here for more details on the event http://www.ultimatewindowssecurity.com/blog/default.aspx?p=137e4ecb-adb6-4c5e-806a-f87e99ad2944. ...

My new Rosetta Audit Logging Kits take the guess work out of monitoring security logs and meeting compliance requirements. Learn more here. ...

Just released: “Top 10 Ways to Identify and Detect Privileged Users by Randy Franklin Smith” white paper.Read it online here:https://blog.stealthbits.com/top-10-ways-to-identify-and-detect-privileged-users...

...

...

...