Identifying target system's auditing policy

[jspears80]

Is there any methods that would allow you to scan a target system to figure out what the auditing policy is set as? Similar to NMAP and how it scans a range of ports and reports back, is it possible while connected to the same LAN, to detect a system's audit policy ?

tldr; I want to see if the server I am accessing is logging activity.

 

[Vipernitrox]

What are we talking about exactly? What activity? What OS?

 

[MyCattMaxx]

Viper, I suspect that what he wants to know is off limits to discuss here.
And probably why no one has responded.
That info could be used for possible hack attacks.

 

[Vipernitrox]

The last time i saw you in a topic you said the exact same thing.

You can say this about alot of stuff related to servers and networking. System administrators got loads of tools which they can use to do illegal stuff. Using nmap in your own infrastructure is quite normal. And what he is asking probably is too.

 

[jspears80]

It is a Windows 2008 R2 server and I don't have any specific activity I am concerned with, but an example would be any log of files copied to and from the system.

Viper, I appreciate your response. I posted the same question to the security forum and they deleted it. I am trying to perform a detailed audit of my systems and was just curious if there was any vulnerabilities in how Windows deals with its audit logs. If people can identify what is being audited then I want to setup a control that blocks that ability.

Honestly, I am pretty sure it is not possible to do such a thing since auditing typically is a very internal process in the server and doesn't reply back to anything normally. But maybe there are circumstances where this isn't the case. /Shrug

 

[Vipernitrox]

I never heard of any event logs being available to the outside. If you want to do a thorough security check on your servers you can use nmap to check for open ports, like you already did. Then check each open port for the service behind it. See if that's secured with a pass. You can keep open a wireshark to check for any unencrypted traffic (pain in the ass to do).

Isn't there a security auditing guide or something you can use? Or read up on best practices for security. Microsoft has lots of exams. Probably also some about security.