Friday, May 30, 2014

Winsock Event viewer tracing

Using Event Viewer to Start Winsock Network Event Tracing

When you open Event Viewer, the left pane contains the list of events. Open Applications and Services Logs and navigate to Microsoft\Windows\Winsock Network Event as the source and select Operational.
In the Action pane, select Log Properties and check the Enable Logging check box. Once logging is enabled, you can also change the size of the log file if this is needed.
Winsock network event tracing is now enabled and all you need to do is hit the Refresh action to update the list of events that have been logged. To stop logging, simply uncheck the same radio button.
You may need to increase the log size depending on how many events you want to see. One drawback to using the Event Viewer for Winsock tracing is that it does not load all the string resources so the messages displayed in the Description field (once you select an event) is sometimes hard to read (an argument that should be formatted as hex will be displayed in decimal, for example). However, you can select the Details tab in the event description which shows the raw XML log entry which usually has easier to understand arguments.

Using Event Viewer to Start Winsock Catalog Change Tracing

When you open Event Viewer, the left pane contains the list of events. Open Applications and Services Logs and navigate to Microsoft\Windows\Winsock Catalog Change as the source and select Operational.
In the Action pane, select Log Properties and check the Enable Logging check box. Once logging is enabled, you can also change the size of the log file if this is needed.
Winsock catalog change tracing is now enabled and all you need to do is hit the Refresh action to update the list of events that have been logged. To stop logging, simply uncheck the same radio button.
You may need to increase the log size depending on how many events you want to see. One drawback to using the Event Viewer for Winsock tracing is that it does not load all the string resources so the messages displayed in the Description field (once you select an event) is sometimes hard to read (an argument that should be formatted as hex will be displayed in decimal, for example). However, you can select the Details tab in the event description which shows the raw XML log entry which usually has easier to understand arguments.



Audit service start and stop

Like files and folders, services are access-controlled objects, and every access-controlled object has a security descriptor.

Part of a service's security descriptor is the system ACL (SACL), which you can use to track access to that object.

The only way to view or change a service's current SACL is through security templates.

To reach the security templates, log on to the server and open the Microsoft Management Console (MMC) Security Templates snap-in.
To create a new template, right-click on the security templates path.
Select New Template, click System Services, then double-click the appropriate service (i.e., Telnet). Select the Define this policy setting in the template check box, then click Edit Security to open the Security for Telnet dialog box.

This dialog box contains the service's ACL, which you can use to fine-tune who has start and stop authority.

Click Advanced, then select the Auditing tab in the Access Control Settings for Telnet dialog box.

As you can see, no auditing is currently enabled on the Telnet service because auditing isn't enabled by default.

Click Add, then add an entry to track successful start and stop events that members of Everyone initiate.
 Close all the dialog boxes, then save the template.
Import the template into the MMC Security Configuration and Analysis snap-in, then apply the template.
Now, you can check the Security log for event ID 560 (success audit: object open), where Object Type is SERVICE OBJECT, the Object Name is the short name of the service you're monitoring (in the case of the Telnet Service, TlntSvr), and the logged accesses include Start the service and Stop the service.



Source:
http://windowsitpro.com/systems-management/access-denied-auditing-users-who-might-be-starting-and-stopping-services


TCP retransmission



 You can increase this value with registry key TcpMaxDataRetransmissions

“This entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) in the Local Group Policy Editor. This entry sets the maximum number of retransmissions of a TCP segment containing data before the connection is abandoned. The retransmission timeout is doubled with each successive retransmission on a connection. It is reset when responses resume. The base timeout value is dynamically determined by the measured round-trip time on the connection.”


You need to add this registry key


You can check more details in Microsoft online documentation: