|
Posted by Roger Abell [MVP] on March 26, 2007, 10:54 am
If you were Registered and logged in, you could reply and use other advanced thread options
Interesting Wolfgang.
I believe that a much higher load would be needed in order
to really stress the logging process. Filesystem access logging
is however probably the most likely to cause issues as this does
load the I/O subsystem doubly hard.
My own feeling is that if dropping of events were an issue, then
there surely would have been some noise about this. In fact, this
post is the first time I have ever seen the potential even discussed.
Roger
> Roger Abell [MVP] wrote:
>> I see where you are coming from Kevin, and it sounds like a
>> valid potential. All I have to say is that I have never heard
>> of anyone reporting "lost" events due to loading.
>
>
> Will Windows' logging miss events under high load situations? I
> thought about this and performed the following test:
>
> I created a test folder on a Windows 2003 server. On the NTFS folder,
> I set full permissions and set an SACL that records any failure.
> Within the folder, I created three test files. I set explicit
> permissions such that I could read but not modify the files. I then
> created a CIFS share wherein I had full access.
>
> On this same server, I created an Example user and set the password. I
> made sure the Example user was a member of the same groups as I, and
> that it had the same permissions to the shared files.
>
> I used four Windows clients. On the first three, I ran a script that
> opened the test file and attempted to write data. Each client had its
> own test file and I modified the script accordingly. This script was
> "testwrite.vbs" and I have listed it below. It attempts to write 1000
> times.
>
> On the forth Windows client, I ran a script that attempts to map a
> network drive to the Server using the Example user's credentials. I
> put in the wrong password, thus in part simulating a brute-force
> password attack.
>
> Back on the Windows server, I cleared the security log. I then
> executed all four scripts simultaneously. This generates some 5,000
> events in a couple of minutes. Would the Windows server drop any of
> these events?
>
> I validated the number of events using the testresults.vbs script.
> This counts the events by Event ID and gives a report. There were
> 3,000 failed file access events. There were 2 bad password events,
> followed by 998 account locked out events, with a total of 1,000
> failed logon messages. All 5,000 events were captured.
>
> I ran this test several times and never saw an event drop. I am
> including the scripts below so that you can test this in your own
> environment.
>
> Regards,
>
> J Wolfgang Goerlich
>
>
--------------------------------------------------------------------------------
> ' testwrite.vbs
>
> On Error Resume Next
>
> ' Constants
>
> Const ForWriting = 2
> Const UncTestPath = "\Server\Testshare"
> Const MapTestFile = "testfile1.txt" ' Client 1 uses Test 1, Client 2
> uses Test 2, etc
>
>
> ' Dimension Variables
>
> Dim oLog ' Log text file
> Dim oNet ' Network
> Dim oNTFS ' File System
>
>
> ' Instantiate the objects
>
> Set oNet = CreateObject("WScript.Network")
> Set oNTFS = CreateObject("Scripting.FileSystemObject")
>
>
> For X = 1 to 1000
>
> ' Map a network drive
>
> oNet.RemoveNetworkDrive "X:"
> oNet.MapNetworkDrive "X:", UncTestPath
>
>
> ' Open the file
>
> Set oLog = oNTFS.OpenTextFile("X:\" & MapTestFile, ForWriting, True)
> oLog.WriteLine "Depending on this file's ACL, this write will
> generate an error." + VbCrlf
>
>
> ' Done, clean up
>
> oLog.Close
> Set oLog = Nothing
> oNet.RemoveNetworkDrive "X:"
>
> Next
>
> MsgBox "Done!"
>
>
--------------------------------------------------------------------------------
> ' testlogin.vbs
>
> On Error Resume Next
>
> ' Constants
>
> Const ForWriting = 2
> Const UncTestPath = "\Server\Testshare"
> Const Username = "Server\Example"
> Const Password = "NoSecretNow"
>
> ' Dimension Variables
>
> Dim oNet ' Network
>
> ' Instantiate the objects
>
> Set oNet = CreateObject("WScript.Network")
> Set oNTFS = CreateObject("Scripting.FileSystemObject")
>
>
> For X = 1 to 1000
>
> ' Map a network drive
>
> ' Using the wrong password will throw:
> ' Error: Logon failure: unknown user name or bad password.
> ' Code: 8007052E
> ' Source: WSHNetwork.MapNetworkDrive
>
> oNet.MapNetworkDrive "X:", UncTestPath, , Username, Password
> oNet.RemoveNetworkDrive "X:"
>
> Next
>
> MsgBox "Done!"
>
>
--------------------------------------------------------------------------------
> ' testresults.vbs
>
> Const Computer = "."
> Const FailedFileAccess = 560
> Const FailedLogon = 680
> Const AccountLockedOut = 539
> Const BadPassword = 529
>
> ' Event Type: Failure Audit
> ' Event Source: Security
> ' Event Category: Object Access
> ' Event ID: 560
> ' Description:
> ' Object Open:
> ' Object Server: Security
> ' Object Type: File
>
> ' Event Type: Failure Audit
> ' Event Source: Security
> ' Event Category: Account Logon
> ' Event ID: 680
> ' Description:
> ' Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>
> ' Event Type: Failure Audit
> ' Event Source: Security
> ' Event Category: Logon/Logoff
> ' Event ID: 539
> ' Description:
> ' Logon Failure:
> ' Reason: Account locked out
>
> ' Event Type: Failure Audit
> ' Event Source: Security
> ' Event Category: Logon/Logoff
> ' Event ID: 529
> ' Description:
> ' Logon Failure:
> ' Reason: Unknown user name or bad password
>
> FailedFileAccessCount = 0
> FailedLogonCount = 0
> AcountLockedOutCount = 0
> BadPasswordCount = 0
>
> Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate,
> (Security)}!\" & Computer & "\root\cimv2")
> Set oEvents= oWMI.ExecQuery("Select * from Win32_NTLogEvent Where
> Logfile = 'Security'",,48)
>
> On Error Resume Next
> For Each oRecord in oEvents
>
> Select Case oRecord.EventIdentifier
> Case FailedFileAccess
> FailedFileAccessCount = FailedFileAccessCount + 1
>
> Case FailedLogon
> FailedLogonCount = FailedLogonCount +1
>
> Case AccountLockedOut
> AcountLockedOutCount = AcountLockedOutCount + 1
>
> Case BadPassword
> BadPasswordCount = BadPasswordCount + 1
>
> Case Else
>
> End Select
>
> Next
>
> Results = _
> "Failed File Access (" & FailedFileAccess &") = " _
> & FailedFileAccessCount & Vbcrlf & _
> "Failed Logon (" & FailedLogon & ") = " _
> & FailedLogonCount & Vbcrlf & _
> "Account Locked Out (" & AccountLockedOut & ") = " _
> & AcountLockedOutCount & Vbcrlf & _
> "Bad Password (" & BadPassword & ") = " _
> & BadPasswordCount
>
> MsgBox Results
>
>
--------------------------------------------------------------------------------
>
| 
XML site map