Security Events Log for addition of members into GUESTS security group

[libroos]

Dear all,

If someone add members into security groups, e.g. GUESTS or ADMINISTRATORS, what would be the logged Windows Security event ids in the Windows 2000 Server?

What are the typical description of the security logs?

R there any good log analyzer program?

Regards,
libroos

 

[itsp1965]

If you have auditing enabled you should see the following events appearing;
631 Security enabled global group created
§ 632 Security enabled global group member added
§ 633 Security enabled global group member removed
§ 634 Security enabled global group deleted
§ 635 Security disabled local group created
§ 636 Security disabled local group member added
§ 637 Security enabled local group member removed
§ 638 Security enabled local group deleted
§ 639 Security enabled local group changed
§ 641 Security enabled global group changed

Hope this helps

 

[libroos]

I've checked the Servers, but could not find it. I guess it could be that the auditing settings are not enabled.

Where do I enable detailed auditing settings?

R there any recommended hardening steps?

 

[itsp1965]

In local security policy (for servers not on the domain) or group policy --> Security Settings-->Local Policy-->Audit policy