|By Adrian Grigorof, B.Sc., MCSE|
Most of the Windows environments lack
a monitoring solution for events that might be critical for the organization.
Here are some scenarios:
In general, some of these events pass unnoticed until something happens and suddenly all levels of managements begin to ask who was responsible for monitoring, why it hasn’t been done, and so on. The administrator of the Windows environment may quickly become the scapegoat of all the security issues affecting the network. So what can a Windows administrator do to avoid this situation? Well, with a little bit of planning and a modest budget it may get to a level where it would be easy to show that the administrator tried his or her best to monitor the Windows environment security.
In the first phase, the admin needs to
obtain the cooperation of the management. Given the reluctance that most of the
managers have when the staff is asking for new “toys” the request has be put in
proper terms. First, prepare a list of threats against the Windows servers along
with a short description of the effect of that attack. For example:
Next, specify how long it would take to verify the security logs manually (without any tools), on regular basis. For example, you would have to check the security logs on all domain controllers, every hour, spending at least 5 minutes for each server, reading the events and determining if there is anything suspicious. Any manager would agree that this type of monitoring would be highly disruptive for your other tasks. At this point, you would present him or her, a tool that would perform this task and send notification of any suspicious activity in the event logs. For example, if you have to monitor 5 Windows servers and some of the important workstations, you may decide to implement a monitoring solution based on GFI’s LANGuard (Security Event Log Monitor). The price for a 5 servers and 50 workstations is US$ 750. For an intermediate administrator, with an hourly rate of US$ 30, to spend one hour per day to monitor the logs on 5 servers would cost the company over US$ 7,500 over a year! That's 10 times the price of GFI's LANGuard and it would achieve maybe 50% of the results...
The most common behavior for middle management in such situations (having their technical staff asking for monitoring software) is to delay the whole process: "Sounds good... we will see what we can do, maybe we can find some money in the next year's budget". Translated: "Forget about it... you can do it manually while you do all the other fire fighting". In this case, the administrator should ask the manager (ideally via email) to confirm that they are aware and willing to assume the risk that some important security events may go undetected until a monitoring solution is in place. Most probably, your manager will not be willing to assume this risk and they would rather find room in their budget for a reasonable priced solution like GFI’s LANGuard.
If you do convince your manager to
approve the modest cost of a monitoring software, you will have to develop a
good methodology in dealing with various notifications. At
www.eventid.net we use
LANGuard to monitor our 3 servers and 10 workstations. Here is what we
Figure 1 - LANGuard "Noise Reduction" processing rule
One example of event that can be easily ignored is event id 612 generated by a Windows machine when it applies the computer group policy settings as part of an Active Directory domain. At startup, you can see this event:
Event Type: Success Audit
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Since a policy change is an unusual event, LANGuard will consider it critical and notify you with the following message:
Event ID : 612
User EMACHINE$ from domain ALTAIRTECH changed the Audit Policy for the machine EMACHINE.
Since this event is “normal” you should adjust the Audit Policy Change rule not to report this event when it is triggered by the EMACHINE$ user (the EMACHINE computer itself).
To add this event to the Noise
Reduction rule follow this steps:
Fig. 2 - LANGuard Edit Rule Window
7. In the "Field restrictions" section
Once this is done, the audit policy
change notifications for this computer will no longer generate a notification
(but they will be in the database).
Why do you need to monitor your Security event log?