Thursday, June 21, 2007

Vista-Compatible Release of Event Archiver is Here!

As promised, we released version 7.0 of Event Archiver yesterday. Event Archiver 7.0 is the first of our log management titles to support Microsoft Windows Vista™ and the new EVTX log format. However, Event Archiver 7.0 is more than just "compatible" with Windows Vista, as it also introduces some very cool abilities our marketing department refers to as LogRefiner™ technology.

Specifically, the biggest LogRefiner™ technology accomplishment is that downlevel EVT files from previous Microsoft Windows® versions get processed correctly when Event Archiver is running on Windows Vista, which the built-in Event Viewer on Vista cannot do properly. Beyond that, it encompasses numerous other features, such as consolidating fields in EVTX files, appropriately categorizing security events as Success Audits and Failure Audits, and placing user information from a Security EVTX file back in the User field. You can read all of the features here:

As far as we know, we're the first log management ISV to offer this level of dual EVT/EVTX file processing technology. But, we've also been in the market since 1997, so pioneering new log management techniques is nothing new to us! .

On top of the Windows Vista features, we also added MD5 cryptographic hashing of archived log files and a Working Directory feature for local processing of remote log files.

Needless to say, this is a huge accomplishment that we're very proud of. Now, it's back to the skunkworks to get our other log management titles working with Vista.

Friday, June 15, 2007

Vista-Compatible Release of Event Archiver is Near

With all the posting we've been doing about Vista events recently, you may have assumed we've been doing a lot of work to get our software titles Vista-ready. You'd be correct.

Stay tuned to the blog, as next week we're going to reveal Version 7.0 of Event Archiver, with tons of really cool new Vista-specific features. We're introducing some pretty radical technology, and we think you'll be quite impressed! :)

Friday, June 1, 2007

Auditing Changes To Permissions (Event ID 4670)

Last week, I mentioned that Vista had a neat new event (Event ID 4907) that told you when the SACL (e.g. the list of users/groups who generate security events *when they access* a file/folder/securable object) was changed. Well, there is another new event that you could say is the twin brother to Event ID 4907.

Event ID 4670 gets logged when anyone changes the DACL (Discretionary Access Control List) on a file, folder, or securable object. For more information on DACLs and SACLs, you can refer to this post below, but as a reminder, the DACL of a file/folder/object is the list of users/groups that *can access* or are *denied access* a file/folder. In other words, that file or folder's permissions.

Prior to Vista, you had to root around in the description field of Event ID 560 or 566/567 and check the Accesses granted to a user that touched a file to see if they could have (or actually did) change the permissions on a file. Now in Vista, Event ID 4670 will tell you immediately if the permissions get changed, who changed them, what they used to look like, and what they look like now. Here's a sample of how the event looks:

Permissions on an object were changed.

Security ID: DOMAIN\Admin
Account Name: Admin
Account Domain: DOMAIN
Logon ID: 0x11b8ffd

Object Server: Security
Object Type: File
Object Name: C:\financials.txt
Handle ID: 0xf50

Process ID: 0x50c
Process Name: C:\Windows\explorer.exe

Permissions Change:
Original Security Descriptor: D:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)
New Security Descriptor: D:ARAI(A;;0x1e01bf;;;WD)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)

So, you can see it looks a lot like its brother, Event ID 4907, even down to using the same SDDL strings to indicate the changes to user/groups who have permissions on the file. Very cool stuff.