การเข้าถึง Local Security Policy
Command Line = secpol.msc
ใน GUI ให้ใช้ Menu Search พิมพ์ Local Security Policy
EVENT ID ที่สำคัญ เกี่ยวกับความปลอดภัย
::: Windows 2008 – ขึ้นไป
::: 4624 – An account was successfully logged on.
::: 4625 – An account failed to log on.
::: 4649 – A replay attack was detected.
::: 4720 – A user account was created.
::: 4740 – A user account was locked out.
::: 4723 – An attempt was made to change an account’s password.
::: 4724 – An attempt was made to reset an account’s password.
::: 4698 – A scheduled task was created.
::: e1102 – The Specified user cleared the Security Log.
หมายเหตุ
::: Windows 2003
::: 528 – An account was successfully logged on.
::: 529 – Bad Password
::: 680 – An account failed to log on.
::: 681 – FailedToLogOn
::: 642 – ResetPassword
::: 624 – CreatedUser
::: 644 – UserLockout
::: 540 – NetworkLogOn
ตัวอย่างคำสั่งสำหรับใช้งาน
Logparser.exe “SELECT TimeGenerated, SourceName, EventCategoryName, Message INTO c:\4698_SuccessToLogOn.csv FROM Security WHERE EventID = 4698
