Securing Windows 2000 Using an event log monitoring system
The problem with the information provided is that it's difficult to easily get a sense for which events are absolutely critical, and which represent a user forgetting their password. To get a perspective on how difficult security log management can be, multiply the events that you find on one system by the number of systems on your network. As you can see, the mountain of data quickly becomes unmanageable, and certainly makes responding to critical incidents difficult. This is a large part of the reason why some companies disable the auditing feature of Windows 2000 almost as quickly as they turn it on.
While Windows 2000 Security logs provide reams of valuable information, it's up to you as the administrator to collect, analyze and assess the information they provide. Not only is this next to impossible in a large environment, it could easily be a full-time job all by itself. Furthermore, manually parsing log files looking for events is not a timely or practical solution. When the security of your network is at risk, you require access to critical information immediately - not whenever you finally find the time to view your logs. That's where GFI Software's LANguard Security Event Log Monitor (S.E.L.M) comes in. (GFI offers a free 1 Server and 5 Workstation version of LANguard S.E.L.M. for download.)
LANguard S.E.L.M provides the security monitoring functionality that should have been originally included with Windows 2000. As a trainer, my new students constantly ask how they can be alerted when a critical event occurs. My answer is always the same - without additional software, you can't. By examining and collecting security logs on network systems, LANguard S.E.L.M is not only capable of alerting an administrator by email, but also classifies events into security categories ranging from low to critical. LANguard S.E.L.M consolidates the log files from different systems into a single SQL or Access database, providing simplified event monitoring, log management, and reporting. It's not only limited to Windows 2000 either - LANguard S.E.L.M also works with Windows NT to ensure that your system needs are covered.
Think of the tools that can be used to protect a network. For the most part, companies rely almost exclusively on a firewall solution. While a properly configured firewall can do a great job of keeping the bad guys out, it doesn't do anything to monitor possible internal security issues. Based on various studies, anywhere from 70-80% of all security incidents are related to internal staff. In many cases getting access to sensitive data is simple, due to misconfigured (or even worse, not configured) security permissions. Even in cases where NTFS permissions are set correctly, security is still an issue. Knowing who has attempted access (and when) is just as important as knowing who has actually accessed sensitive data. Remember that a good security strategy involves identifying threats before an actual breach occurs.
Installing LANguard S.E.L.M is simple, but there are a few things that you'll need to prepare prior to getting started. First and foremost, you will need to enable auditing in your domain - recall that Windows 2000 audits nothing by default. For all intents and purposes, you'll want to be sure that you have at least major events (such as account logon and object access) included. Think of some of the risks inherent in any environment, and think about them closely. You shouldn't limit yourself to only worrying about users attempting logon as administrator or those trying to access restricted files. Think about users with administrative privileges changing the membership of key groups (such as Payroll!), or deleting the security logs after doing something they shouldn't have. Certainly these actions aren't limited to internal users, but since they already have access, this does represent a possible threat. A careful analysis of security risks is critical to the success of any security initiative.
Along the same lines, you should also make a point of characterizing your network systems prior to the installation of LANguard S.E.L.M. Define systems as being high, medium, or low risk. While a firewall, VPN, or web server would probably be considered high risk, a normal user's workstation would probably be most correctly categorized as low risk. Be honest in your analysis - simply defining all systems as high risk will not make your network more secure, even if it makes you feel more comfortable.
Recall that auditing is configured in Windows 2000 via Group Policy. Be sure to configure auditing on the Default Domain Policy, using the No Override option. The screen shot below outlines the auditing section of Group Policy.
Besides auditing, you'll also need to configure Message Queuing Service (this is included with Windows 2000 but is not usually installed by default) and create a dedicated user account under which LANguard S.E.L.M will run.
The installation process is very straightforward. In fact, most of the configuration can be accomplished using the initial installation wizard. This includes adding computers to be monitored, specifying whether a SQL or Access database should be used, configuring mail server settings, and specifying normal operation times. Once completed, settings can of course be changed using the LANguard S.E.L.M configuration tools.
LANguard S.E.L.M adds a number of tools (many of which are MMC-based) for managing and monitoring alerts and their settings. These include:
LANguard S.E.L.M Configurator - used to configure program alerts, rules, and settings.
LANguard S.E.L.M Event Viewer - used to view categorized events, similar to Event Viewer but in a more organized fashion.
LANguard S.E.L.M Reporter - used to build standard or custom reports that outline the result of security log analysis.
LANguard S.E.L.M Troubleshooter - a wizard that can be used to provide GFI with information on issues you are experiencing with the product, to be forwarded in an email to GFI.
Additionally, the LANguard S.E.L.M Monitor tool sits in the system tray, providing information about the security log collection process on domain computers. Since Event logs from different systems will have to be retrieved by the system where the database resides, you can also specify how often this happens for individual (or groups of) computers. For example, on critical or high-risk servers you might specify that real-time monitoring take place every 5 seconds. On lower risk computers, you might specify that log collection occur every six hours. Striking a balance here is important, since monitoring too aggressively may impact performance. This is yet another reason why you should characterize network systems prior to installation. The screen shot below outlines the monitoring settings for one of my domain controllers.
In order to account for the different levels of security monitoring required on domain systems, LANguard S.E.L.M allows you to define the security level of individual systems, and set defaults. For example, you could configure things such that individual servers have a medium security setting by default, while domain controllers or critical servers are set to high. You can later use these settings to define which types of events are considered critical for a given system type.
Another important feature is the ability to define what is known as Normal Operation Time (N.O.T). This tells LANguard S.E.L.M which times are considered normal business hours. The feature provides an even more granular level of control over how alerts are defined - for example, a failed logon event during business hours might be considered a medium security threat, and a high (or even critical) security event after hours. The ability to control what is considered critical (and when) is part of what makes LANguard S.E.L.M such a powerful tool.
All this talk of configuration and customization might have you a bit frightened. The good news is that by default, the program has already grouped important security events into categories based on their potential to represent threats. So, even if you're not sure what you want LANguard S.E.L.M to tell you when starting out, the default settings handle the most common requirements smoothly. For advanced users, the ability to customize which events are monitored and how they are characterized provides maximum flexibility. The screen shot below outline the process of defining a custom event rule.
As far as event monitoring is concerned, the LANguard S.E.L.M Event Viewer makes things easy. While the standard Event Viewer included with Windows 2000 adds all security alerts to a single log file on each individual machine, LANguard S.E.L.M Event Viewer instead categorizes alerts according to how critical they are, as shown below.
Remember that even though the defaults work well, you have the ability to define exactly how critical an event is considered to be. For example, Event 529 (bad username/password) is classified as a medium security event on a low security PC outside of Normal Operation Time by default (as shown below). If you want, you can easily change this setting to a high or even critical event - whatever best meets the needs of your environment.
Taken a step further, you also control when you are contacted by email (this is configured for critical alerts only by default). However, you can again define which types of events you wish to be contacted about. Remember that receiving too many email alerts may lead you to start ignoring them, so be careful with the events that you decide to define as critical or worthy of having an email sent.
The last major feature of LANguard S.E.L.M is certainly my favorite - its ability to produce clear and insightful reports quickly an easily. For those of you with managers looking for detailed information on network security, this will truly make your life easier. Not only are the most common reports predefined, but you can also define custom reports to be built from the information stored in the database. For example, the screen shot below outlines the Reporter interface:
The reports shown are actually templates - once you right click and choose Generate, you'll be presented with the completed report. Not only can the reports be printed easily, they can also be exported to common formats including RTF, CSV, Crystal Reports, and others.
LANguard S.E.L.M has many additional features that I haven't covered here - advanced filtering capabilities, the ability to backup the database to ensure optimal performance, and more. If you're serious about monitoring security on your network, you should take a look at LANguard S.E.L.M. Not only will the product reduce the amount of administrative effort required to manage and monitor event security, it will also give you the piece of mind of knowing that you'll be able to respond to critical incidents in a timely fashion. GFI offers a free 1 Server and 5 Workstation version of LANguard S.E.L.M for download. Given the time and effort (and subsequently dollars) that companies spend trying to ensure a cohesive security strategy, LANguard S.E.L.M represents a practical and cost-effective solution.