Understanding Windows Logging
Defending critical servers by using log information.
Logging is an underused tool on most windows networks. It is mostly used in a crisis to rectify events that have already taken place and that were not preempted. This is true for several reasons firstly there is vast amounts of data to get through, and because logistically it may not be viable to inspect every log on a vast network manually, this aspect is neglected. Applications are available that consolidate logs into a central place but what is needed is some form of artificial intelligence to lessen the burden. By this I mean a filter that will be able to take out only pertinent information that is required to understand the happenings on the network. Furthermore logs get full, the fact that the logs are being stored on remote machines further compounds the issue as no one inspects them and this presents a risk as the resident user or remote intruder can wipe out this log, removing their traces and leaving the security professional with no tracks to follow. Intelligent applications exist that centrally consolidate the logs and then remove them from the remote client machines and store them in a presentable fashion for the security professional's inspection.
The Event Log service is automatically started automatically when windows machine starts. All users can view application and system logs. Only administrators can gain access to security logs. Security logging is turned off by default. To ensure that a security log is available it should be turned on by the administrator.
Windows has several different logs that should be monitored. The most important log being the security log to the security professional as this log tracks the on goings on the network. The different log types are:
- Application log these are events logged by applications.
- Security log this log contains records of valid and invalid logon attempts and events related to resources use, such as creating, opening, or deleting files or other objects. This log is also customizable.
- System log contains system component event. Driver failures and hardware issues.
- Domain controllers have two extra logs directory service directory service.
- File Replication service log containing windows File Replication service events. Sysvol changes are recorded in the file replication log.
- DNS machines also store DNS events in the logs.
Each log contains different types of logs i.e. Errors, warnings, information, success audit and failure audits. It has become apparent that a third party automation tool is necessary, on any busy machine or on any busy network many hours are logged and megabytes of log files are generated, this makes it logically impossible to monitor all of the logs on all of the networked computers with limited resources.
Below are a few valuable features that prove useful when monitoring logs
- Real time monitoring and notification, if events happen that need to come to the security professional's attention. Windows is unable to notify the security official of triggered events.
- Audit trail is unconsolidated in windows. This means that individual machines hold the isolated event logs making the task of viewing event logs extremely difficult. It is much easier to look at one event log to get a current network status than to look at multiple event logs and miss information because of the vast amount of entries that have not been filtered. So it is ideal to have a central log monitoring system that the security professional can use at a glance.
- Security logs are also able to be monitored remotely, this means that when intruders attempt to use local accounts to log into the machine the audit trail is limited to the local security logs.
- Less obvious description of critical event. In normal Microsoft tradition "event 12345%$# means your server was rebooted or something like that." Logs are cryptic and misleading. Consolidation and remote log reading applications have alerts that can be preprogrammed for specific events to make the administrators life much easier deciphering the misleading logs.
- Archiving. Institutions such as banks are required in most countries to keep audit logs for over 7 years and even longer in some circumstances. Typical windows default setting are set to overwrite over the logs when certain size is reached. The other issue is that the user has to physically archive and clear the logs. Automation of this process is available and making it central, increasing productivity time on a large network environment as it lessens support calls and lets the administrators see what is happening locally on the user's machine.
- Log file integrity. Files stored on a user machine have less integrity as the user can clear the logs quickly or an intruder after gaining access can cover the tracks by clearing the event logs. Intruders sometimes produce an excessive amount of events triggering actions to fill up security logs to cover tracks. Using the consolidation and remote log viewing applications, the security professional can be alerted to this phenomenon and can react to it immediately; further more he logs are stored remotely so the user or intruder can not erase them. Applications exist on the internet that render local machine logs useless as they can create vast amounts of traffic and fill the logs with garbage or delete them completely.
- Log filtering. Data overload is a huge issue log monitoring applications have the ability to filter out irrelevant noise events that take up time and space and only display the pertinent logs.
- The ability to monitor access of important files this can be achieved by auditing failed access to these files enables you to find out if someone is attempting to access the files.
- An application that can alert the security professional by SMS (mobile phone) e-mail and pager prove valuable as the Administrator may not be in the proximity of a computer at all times this should trigger a response. The administrator can then react or have systems in place the can be remotely activated to stop a potential attack.
- Monitoring of web server log is important and should be mentioned as an isolated point as this is often overlooked by hasty administrators. By using software that monitors your local or remote web server you can add an extra layer of security to your web server. This is where the alerting functionality of log monitoring software is useful because it sometimes is challenging to monitor servers that are on the DMZ.
- Logging of data in powerful searchable databases like SQL is an advantage and would be preferred in an enterprise environment the most good centralized logging software available does provide this type of functionality.
- Reporting using well known tools like Crystal is also need in large organizations as trends are easier to see depicted. Log monitoring software should have the capability to link to crystal reports and other well known reporting software.
- Categorically sorting log events into prioritized sections. Software should be able to let the security administrator view high profile security events at a glimpse, medium profile or low profile security events have taken place this saves time and makes for good managerial reporting.
- Clearing of logs should also be monitored as only the administrator should be able to clear security logs.
- The ability to make logging of certain events on certain machines more critical is also useful as machines that need to remain secure should be monitored at a more granular level.
Information to look out for when monitoring infrastructure Network Security.
There are certain key elements that a security professional needs to monitor on an ongoing basis to ensure that the network is running free of parasitic intruders. Intruders often target the log files and audit log because they know that if an experienced security professional reads the logs they might be suspected or even traced. Furthermore if there is no record that a specific action took place it becomes incredibly challenging to prove that it in fact took place. It is important to establish key security trends. Looking for an application that has strong customizable capabilities is important, as this will help you on a daily basis to get the exact information that you will be looking for. The world of software automation has saved security administrators millions of hours. Do not let automation hamper your ability to identify pertinent security breaches. Take care and time to plan the reports to ensure that a complete verbose report is produced that will highlight the events that pertain to your specific network environment. Failed logons, bad user names or passwords, account lockouts, logon after certain typical periods (like in the middle of the night), and failed resource access events all point to potential security risks and these events should be investigated and validated with the users concerned.
The diagram above represents a network where internal and external intruders are wiping logs. Counter action will be taken as the administrator has been notified.
Below are some event types, these are but a few and should give you an idea of how inundated you will get with event logs if you don't have digital filtering help:
- Type 2 : Console logon from local computer.
- Type 3 : Network logon or network mapping (net use/net view)
- Type 4 : Batch logon, running of scheduler
- Type 5 : Service logon a service that uses an account
- Type 7 : Unlock Workstation
- Event ID 529 : Unknown user name or bad password
- Event ID 530 : Logon time restriction violation
- Event ID 531 : Account disabled
- Event ID 532 : Account expired
- Event ID 533 : Workstation restriction, the user is not allowed to logon at this computer
- Event ID 534 : Inadequate rights for console login.
- Event ID 535 : Password expired
- Event ID 536 : Net Logon service down
- Event ID 537 : unexpected error
- Event ID 539 : Logon Failure: Account locked out
- Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password
- Event ID 644 : User account Locked out
- Event ID 541 : IPSec security association established
- Event ID 542 : IPSec security association ended (mode data protection)
- Event ID 543 : IPSec security association ended (key exchange)
- Event ID 544 : IPSec security association establishment failed because peer could not authenticate
- Event ID 545 : IPSec peer authentication failed
- Event ID 546 : IPSec security association establishment failed because peer sent invalid proposal
- Event ID 547 : IPSec security association negotiation failed
- Event ID 672 : Authentication Ticket Granted
- Event ID 673 : Service Ticket Granted
- Event ID 674 : Ticket Granted Renewed
- Event ID 675 : Pre-authentication failed
- Event ID 676 : Authentication Ticket Request Failed
- Event ID 677 : Service Ticket Request failed
- Event ID 678 : Account mapped for logon
- Event ID 679 : Account could not be mapped for logon
- Event ID 680 : Account used for logon
- Event ID 681 : Logon failed. There error code was:
- Event ID 682 : Session reconnected to winstation
- Event ID 683 : Session disconnected from winstation
Time is an important asset and organizations trade IT professionals time for money. Checking logs manually is very time consuming and is not what organizations have in mind when they hire a highly skilled professional, although the job still needs to be done. The use of 3rd party products is essential for archiving and reporting on event logs within an organizational network. To find some additional information visit http://www.windowsecurity.com/software/Log_Monitoring/ , this website has lots of valuable information on log monitoring and its importance.
Windows NT/2000 security seems to scatter network events among all computers in the domain. The operating systems provide complete logging functionality for capturing security events but provide no significant tools to do due diligence and analysis. Archiving, real-time monitoring and filtering are other issues that the windows operating system does not resolve. This does not alleviate the fact that security professionals need to monitor the logs in an effective and efficient way that turns the logs into meaningful organization reports. Management is always looking for viable reports that have some business relevance. By using good reporting that reflects the going on of the security events you will be able to add a strong dimension to IT's value proposition.