Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

EventID.Net Documents

Why do you need to monitor your Security event log?

By Adrian Grigorof, B.Sc., MCSE

Most of the Windows environments lack a monitoring solution for events that might be critical for the organization. Here are some scenarios:
1. Someone logs in by guessing the password of an important user (could be your boss or it could be the CEO’s secretary)
2. The password of a service account is changed and suddenly the service is not functional anymore
3. Malicious admins login with generic domain admin accounts and access sensitive files (i.e. HR files)
4. Someone hacks into the network and compromises critical data like customer information, marketing plans, projects and other similar documents. Most probably an external auditor will be brought in to assess the situation.

In general, some of these events pass unnoticed until something happens and suddenly all levels of managements begin to ask who was responsible for monitoring, why it hasn’t been done, and so on. The administrator of the Windows environment may quickly become the scapegoat of all the security issues affecting the network. So what can a Windows administrator do to avoid this situation? Well, with a little bit of planning and a modest budget it may get to a level where it would be easy to show that the administrator tried his or her best to monitor the Windows environment security.

In the first phase, the admin needs to obtain the cooperation of the management. Given the reluctance that most of the managers have when the staff is asking for new “toys” the request has be put in proper terms. First, prepare a list of threats against the Windows servers along with a short description of the effect of that attack. For example:
- Unauthorized login – May compromise the data (confidentiality, integrity)
- Viruses and worms – May affect the availability of the system resulting in lost productivity, may compromise the data (integrity)
- Mistakes – Accounts being deleted, passwords changes – May affect the productivity

Next, specify how long it would take to verify the security logs manually (without any tools), on regular basis. For example, you would have to check the security logs on all domain controllers, every hour, spending at least 5 minutes for each server, reading the events and determining if there is anything suspicious. Any manager would agree that this type of monitoring would be highly disruptive for your other tasks. At this point, you would present him or her, a tool that would perform this task and send notification of any suspicious activity in the event logs. For example, if you have to monitor 5 Windows servers and some of the important workstations, you may decide to implement a monitoring solution based on GFI’s LANGuard (Security Event Log Monitor). The price for a 5 servers and 50 workstations is US$ 750. For an intermediate administrator, with an hourly rate of US$ 30, to spend one hour per day to monitor the logs on 5 servers would cost the company over US$ 7,500 over a year! That's 10 times the price of GFI's LANGuard and it would achieve maybe 50% of the results...

The most common behavior for middle management in such situations (having their technical staff asking for monitoring software) is to delay the whole process: "Sounds good... we will see what we can do, maybe we can find some money in the next year's budget". Translated: "Forget about it... you can do it manually while you do all the other fire fighting". In this case, the administrator should ask the manager (ideally via email) to confirm that they are aware and willing to assume the risk that some important security events may go undetected until a monitoring solution is in place. Most probably, your manager will not be willing to assume this risk and they would rather find room in their budget for a reasonable priced solution like GFI’s LANGuard.

If you do convince your manager to approve the modest cost of a monitoring software, you will have to develop a good methodology in dealing with various notifications. At www.eventid.net we use LANGuard to monitor our 3 servers and 10 workstations. Here is what we recommend:

Once you have LANGuard in place (the installation is quite simple and intuitive) you will start to receive notification triggered by various security event logs recorded by your servers. Because each environment is different, in the beginning you may receive "Critical"-level notifications that may be the effect of a normal operation for your network. For example, the help desk people may change user passwords quite often or you may have certain applications that are changing the audit policy of the server. Once you identify that some of these events are benign, adjust the LANGuard notification criteria to exclude those type of events. LANGuard has a special event processing rule called "Noise Reduction" that is preconfigured for this task (see figure 1). Just add a new criteria! Make sure you specify a criteria that only excludes that type of activity - for example, do not exclude all the security policy change events but only those that happen to be triggered by a specific user, on a specific computer. Do not simply delete them after a quick glance... in time, you will get in the habit of ignoring the notifications from LANGuard or maybe reading them from time-to-time. This would defeat the very concept of monitoring the event logs for unusual events. Once you configure LANGuard to exclude benign events from the notifications, you know that any such notification is an anomaly that requires your attention. As security guru Marcus J. Ranum put it in one log monitoring article, you have to build an "Artificial Ignorance" system - that is, a system that will notify you about events that you that you don't know (the "known ones" are "noise" that you want to suppress).

Figure 1 - LANGuard "Noise Reduction" processing rule

One example of event that can be easily ignored is event id 612 generated by a Windows machine when it applies the computer group policy settings as part of an Active Directory domain. At startup, you can see this event:

Event Type: Success Audit
Event Source: Security
Event Category: Policy Change
Event ID: 612
Date: 6/25/2004
Time: 5:18:13 PM
User: NT AUTHORITY\SYSTEM
Computer: EMACHINE
Description:
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
+ + Directory Service Access
+ + Account Logon
Changed By:
User Name: EMACHINE$
Domain Name: DOMAINTECH
Logon ID: (0x0,0x3E7)

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Since a policy change is an unusual event, LANGuard will consider it critical and notify you with the following message:

Event ID : 612
Event Importance : Critical importance event
Date & Time : 6/25/2004- 5:18:13 PM
Rule Triggered : Audit Policy Change - 612 - Within NOT - Medium - Win2k/XP Pro
Computer : EMACHINE
Event Log : Security
Event Source : Security
Event Category : Policy Change
Event Type : Success Audit
S.E.L.M. Event ID : 1085076505_000000000372237
User Name : NT AUTHORITY\SYSTEM
Operating System : Windows XP Professional
Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
- - Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
+ + Directory Service Access
+ + Account Logon
Changed By:
User Name: EMACHINE$
Domain Name: DOMAINTECH
Logon ID: (0x0,0x3E7)
More Information:

User EMACHINE$ from domain ALTAIRTECH changed the Audit Policy for the machine EMACHINE.

Since this event is “normal” you should adjust the Audit Policy Change rule not to report this event when it is triggered by the EMACHINE$ user (the EMACHINE computer itself).

To add this event to the Noise Reduction rule follow this steps:
1. Open the LANGuard Configuration interface
2. Expand the "Event Processing Rules", "Security Event Log"
3. Right click the "NOISE Reduction" Rule
4. Select "New", "Processing Rule"
5. In the Events tab click on "Add" and enter 612 for the event id
6. In the Edit Rule window (See Figure 2) check the "Success Audit" box

Fig. 2 - LANGuard Edit Rule Window

7. In the "Field restrictions" section click "Add"
8. Select "User name" as field and enter "EMACHINE$" as field value and click OK twice to return to the "General" tab.
9. Enter a description for this rule. For example: "EMACHINE Startup"
10. Click OK to exit the new rule definition
11. At this point, the rule is created but not enabled (see Figure 3)


Figure 3 - New rule created

12. Right click the rule and select "Enable"

Once this is done, the audit policy change notifications for this computer will no longer generate a notification (but they will be in the database).

Once you built your AI system, make sure you test it from time to time, maybe once every 3 months. Perform a task that a hacker or other type of malicious user would try: guessing passwords, changing audit policies (so their login would not be detected), deleting security logs and so on. Make sure that you receive the notification as expected and that you do know what to do once you receive it (who to notify, what are the company policies, and other similar things).

Keep your manager in the loop with some example of notifications and tests that you do - this way he or she will know that you are trying your best to keep the network secure.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...