From: secedu@all.net
Reply-to: secedu@all.net
Organization: Information Security Educators Mailing List
Subject: Information Security Educators Mailing List 1999-01-13
<pre>---------------------------------------------
From: "Rob Slade, doting grandpa of Ryan and Trevor" <rslade@sprint.ca>
Subject: REVIEW: "Windows NT Event Logging", James D. Murray

BKWNTEVT.RVW   981101

"Windows NT Event Logging", James D. Murray, 1998, 1-56592-514-9,
U$32.95/C$48.95
%A   James D. Murray
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   1998
%G   1-56592-514-9
%I   O'Reilly & Associates, Inc.
%O   U$32.95/C$48.95 707-829-0515 fax: 707-829-0104 nuts@ora.com
%P   316 p. + CD-ROM
%T   "Windows NT Event Logging"

I have a SCSI drive.  For some reason this fact generates an event
every time I start my NT machine.  Event logging and auditing plays a
role at least as central to data security as does encryption.  At one
time I worked for an outfit whose product was the basis of a theft
retrieval system.  Obviously our data did not age well, so event traps
were written to alert the system administrator as soon, and in as many
different ways, as possible.  At the moment I am reviewing a product
that is failing in a very consistent manner.  Unfortunately, I can't
get enough information about the manner, because I haven't yet found
an event log that gets written in regard to this problem.

Administrators of mini and larger machines, and of course all security
mavens, will be well familiar with the concept of event logging,
although many desktop users and support people will be new to the
idea.  Murray has written a valuable, though not easy, book to cover
the issue.

Chapter one explains what event logging is, and how it is used in
troubleshooting, resource tracking, and security.  It also provides
details of the WinNT event logs, and their use.  The event logging
service and its functions are treated in chapter two.  Event Viewer
operation is detailed in chapter three, complete with a list of
annoyances and limitations.  Chapter four goes into considerable
detail regarding security auditing, and discusses the famous (or
infamous) C-2 security standards.

Chapter five provides programmers with details of the Event Logging
API (Application Programming Interface).  Event logs themselves do not
hold messages as such, and so message files must be created, as is
outlined in chapter six.  You may wish to access the event logs
outside of the standard Event Viewer application, so chapter seven
provides sample code to indicate how this is done.  Reporting events
is covered for a variety of languages in chapter eight.

The appendices contain much useful information.  A has a list of
resources for further information.  A number of them are quite
generic, but there is a compendium of useful titles of interest in the
Microsoft Knowledge Base.  Event logging under Windows for Workgroups
is covered in B.  WinNT security events are detailed in C.  D provides
a description of the DumpEl utility.  Kernel mode logging is described
in E.

Although I had many reasons to be personally interested in the topic,
I must say that I found the book very heavy going.  In addition the
structure, while not disorganized, sometimes seems to lack focus, and
the reader needs to go to a number of chapters to find information on
a single topic.  Whatever its minor faults, however, this work
contains significant data and advice on a very important topic for
programmers, support people, administrators, and, yes, even users.

(Besides, how can I resist a book illustrated with a castor canadensis
on the cover?)

copyright Robert M. Slade, 1998   BKWNTEVT.RVW   981101

======================
rslade@vcn.bc.ca  rslade@sprint.ca  robertslade@usa.net  p1@canada.com
Find virus, book info http://victoria.tc.ca/int-grps/techrev/rms.html
Robert Slade's Guide to Computer Viruses, 0-387-94663-2 (800-SPRINGER)
--------------------------------------------