Security Event Messages

TheMSsForum.com: The Microsoft Software Forum

Hello,

Does anyone know of a good reference (web or book) that gives the
meaning/definition of security event messages? I referenced Microsoftâ??s web
site but does not provide what I need.

Example:
Event ID 618 â??Encrypted Data Recovery policy changed.â?? What does this mean?
How was this generated?

Event ID 612 â??An audit policy was changed.â?? I see quite a bit of these
entries but no changes were made in the policy; this was generated by system
account. I need a reference that explains why this happens and what it does?

Any thoughts on a good reference for what I am looking for?

Thanks
Top

Re: Security Event Messages by Steven

Steven
Wed Nov 03 16:58:06 CST 2004

I don't know of one good reference but the one below is a good start.

http://www.microsoft.com/technet/security/guidance/secmod144.mspx

Event ID 618 "Encrypted Data Recovery policy changed, means that someone
changed the Group Policy settings for EFS Recovery Agent in a Group Policy
that affects that computer. Gpresult can be helpful in determining what
Group Policies apply to a computer.

Event ID 612 "An audit policy was changed" means what it says in that the
audit policy was changed. Since system made the changes both events were
probably generated by Group Policy applied to the computer at the domain or
Organizational Unit level. Event Viewer will show an event when security
policy was last applied. --- Steve

"Rob" <Rob@discussions.microsoft.com> wrote in message
news:75656934-AF71-4626-A16C-F7A15206C6DE@microsoft.com...
> Hello,
>
> Does anyone know of a good reference (web or book) that gives the
> meaning/definition of security event messages? I referenced Microsoft's
> web
> site but does not provide what I need.
>
> Example:
> Event ID 618 "Encrypted Data Recovery policy changed." What does this
> mean?
> How was this generated?
>
> Event ID 612 "An audit policy was changed." I see quite a bit of these
> entries but no changes were made in the policy; this was generated by
> system
> account. I need a reference that explains why this happens and what it
> does?
>
> Any thoughts on a good reference for what I am looking for?
>
> Thanks


Top

Re: Security Event Messages by Rob

Rob
Thu Nov 04 18:19:07 CST 2004

Steven,

Thank you for your reply. I did come across the website you provided which
was helpful but I do need some more in-depth.


Does anyone know of other resources?

Thanks


"Steven L Umbach" wrote:

> I don't know of one good reference but the one below is a good start.
>
> http://www.microsoft.com/technet/security/guidance/secmod144.mspx
>
> Event ID 618 "Encrypted Data Recovery policy changed, means that someone
> changed the Group Policy settings for EFS Recovery Agent in a Group Policy
> that affects that computer. Gpresult can be helpful in determining what
> Group Policies apply to a computer.
>
> Event ID 612 "An audit policy was changed" means what it says in that the
> audit policy was changed. Since system made the changes both events were
> probably generated by Group Policy applied to the computer at the domain or
> Organizational Unit level. Event Viewer will show an event when security
> policy was last applied. --- Steve
>
> "Rob" <Rob@discussions.microsoft.com> wrote in message
> news:75656934-AF71-4626-A16C-F7A15206C6DE@microsoft.com...
> > Hello,
> >
> > Does anyone know of a good reference (web or book) that gives the
> > meaning/definition of security event messages? I referenced Microsoft's
> > web
> > site but does not provide what I need.
> >
> > Example:
> > Event ID 618 "Encrypted Data Recovery policy changed." What does this
> > mean?
> > How was this generated?
> >
> > Event ID 612 "An audit policy was changed." I see quite a bit of these
> > entries but no changes were made in the policy; this was generated by
> > system
> > account. I need a reference that explains why this happens and what it
> > does?
> >
> > Any thoughts on a good reference for what I am looking for?
> >
> > Thanks
>
>
>
Top