Host Based Intrusion Detection Using W2K Auditing Features. presented at BlackHatWindows 2001

by Macy Bergoon,

Summary : Effective auditing is a key component of any security strategy. This session will take auditing to a new level, Intrusion Detection. All aspects of the Windows 2000 auditing subsystem will be discussed along with general strategies anyone can use to begin to monitor for un-authorized activity with no additional costs beyond that of the Operating System.
High level topics will include Effective Auditing, Auditing Strategies, W2K Functionality, Group Policies, Event Log Subsystem, Auditing DHCP, Auditing Message Queues and the IPSEC Audit Log. Event log collection and preservation issues will be discussed along with a new methods for log analysis and trending. A solid understanding of the W2K auditing subsystem will provide an excellent foundation to build on for all host based security implementations.
Their Presentation! (PowerPoint 710k)