Auditing for Increased Security (Part 1)
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training System' from Amazon.com"
You need to understand that you need many levels (hence, defense in depth) of security to be able to feel and be safe from potential threats. A possible Defense in Depth matrix with Auditing included could look like the graphic in the figure below.
So now that you know why auditing is so important, you could probably benefit from a good definition of the term 'auditing'. Auditing is the process of analyzing gathered data for the purpose or intent of determining a possible problem, or in the security arena, an attack or exploit. Auditing is best used on any system that can generate some type of log file that you can save, refer to and analyze - especially over time.
Your security strategy should implement a strong policy on auditing systems. If you are strapped for time, I would suggest you at least implement a policy to audit your most critical systems or systems that are facing the Internet. This way, you can be somewhat informed of possible attack on systems that if rendered inoperable, could put you out of business.
You should try to determine the level of auditing you need to deploy on your systems, as excessive auditing will generate too many events to view and analyze.
Don't over do it
When you are looking at auditing your systems, you really need to do some analysis before the analysis! Do some research and think about what it really is you are trying to determine using auditing. It is not wise to just turn on all auditable events without even knowing what it is you are enabling. Excessive auditing could actually cause you to lose some logged events if you have the log set to overwrite events as needed - excessive logging could push an event you may have need to see right out of the readable log you were going to analyze.
There are in fact ways that you can stop this activity that will be talked about within the chapter, but just remember, if you blindly turn on auditing without thinking about what it is you want to accomplish, you could actually lose data. There are ways to stop this... one is to adjust the log size so that it will hold more events. Another way is to set it so that you will only be able to clear the events manually so you don't lose data. (both will be explained in more detail later in the chapter). Other ways is to use add on products of third party tool sot accumulate your events in one centralized location like MOM. You could use a tool like Microsoft Operations Manager, which can help you to gather, filter and analyze massive amounts of events on all your systems.
When you perform auditing, you can have one of two categories:
Success: A success event indicates that a user has successfully gained access to a resource
Failure: A Failure event indicates that a user has attempted to gain access to a resource but failed
These two categories will determine many things. If you monitor both, you can find patterns such as if you have a series of failures of a logon. This may indicate that there is someone trying to log on to a system and failing each time. Problems in auditing this type of behavior is if you have an administrator who may have forgotten the password, or worse yet - have the caps locks key on while trying to log on. This would show up in the event log. If you have a series of failures followed by a success, then you can see that either the administrator figured out the error, or if it is an attack, then the attacker was able to breach the system. This is how both success and failure could be seen working in conjunction with one another.
In our next articles, we will look at how to set up auditing with Windows 2000.