|
First, the Bad News...
You can glean a wealth of information from the Windows Security log, but the
mechanism isn't without problems. Each Windows computer—including domain
controllers (DCs)—has a discrete Security log. Each DC logs security events
according to the activity that it sees; this information doesn't replicate
to the other DCs in the domain. Windows has no native capability to centrally
collect, analyze, monitor, report, and archive the many Security logs that exist
throughout your network. Another problem is that the log's event descriptions
and codes are cryptic and poorly documented by Microsoft. If that weren't
bad enough, Microsoft eliminates, merges, and changes the meaning of event
IDs from one version of Windows to the next. In addition, the order of strings
in a given event's description sometimes changes between Windows versions.
(I'll go into more detail about description strings later.) These changes
can really throw a wrench in the works when you upgrade one or more systems
after having set up reports or rules based on event ID or the position of a
string. In this book (as well as in my free Security Log Encyclopedia at
www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx),
I endeavor to document such changes.
With Windows 2008 all event IDs have changed. Microsoft has revamped the event
logging system and made many improvements in response to what the demands were.
At the same time the level of complexity has increased. The 9 Categories of events
are further divided into 50 sub-categories. To our dismay the GPMC (Group Policy
Management Console) does not include a way to handle these new tasks (sub-categories).
Instead of using the GPMC, you have to use a command line tool if you want to
configure the more granular sub-categories. That means 50 more decisions to make
when determining what to audit. We'll provide some practical guidance as to what
you should audit.
So we're left with other methods of event log management. Not a bad thing really
as we've always advocated consolidating the data from event logs in one central location.
In addition, while most of the security policy settings remain, a few settings
have been added that can have dramatic changes in logging behavior. These can
really be annoying both for auditors and administrators. We'll give you the tips
to effectively manage these changes. Both the security settings and log information
are also found on our new WinSecWiki.
Due to a change to XML format, event logs can actually be read by humans (sort of).
Microsoft has included more help in understanding events and the impact of changing
certain security settings. Some of this is right in the event and some gives a link
to more information in Technet. The documentation still leaves a lot of room for improvement
so we'll help fill in the gaps for you. As usual, the real world differs significantly
from what was supposed to happen.
This Book
In Chapter 2, I'll introduce you to the Windows audit policy (including the relationship
between audit polices and audit categories), the new Microsoft Management Console (MMC) Event
Viewer for Server 2008, and the format of security events. I'll talk about how you can use
the new sub-categories to fine-tune your audit policy and make sure you're actually getting
the events you want. Even if you're an experienced Windows Server administrator, I recommend
at least scanning this chapter. I've included a few valuable nuggets that might well be new
to you. There are a couple of new command line tools that are essential for configuring and
understanding your auditing. Finally you'll be introduced to event subscriptions and alerting.
Chapter 3 introduces you to the concepts of Windows authentication and logon (which serves as the
foundation for subsequent chapters), then delves into the closely related Account Logon and
Logon/Logoff audit categories. Chapter 4 discusses how Windows logs authentication activity by
using Account Logon events, and Chapter 5 deals with logon events in the Logon/Logoff category.
In Chapter 6, we examine the Detailed Tracking category, and I show you how to track programs that
users execute. In Chapter 7, you'll find out how to monitor file-system activity and access attempts
on other types of objects by using the Object Access category. Chapter 8 shows you how to audit changes
to users, groups, and computer accounts by tracking Account Management events, and Chapter 9 reveals how
to use Directory Access events to track changes to Active Directory (AD) objects such as organizational
units (OUs) and Group Policy objects (GPOs). Chapters 10, 11, and 12 deal with the Privilege Use, Policy
Change, and System Event categories, respectively.
In the appendix we'll give you some pointers to manage event logs from multiple computers on an enterprise system.
At the End of the Day…
Windows has the ability to generate a detailed audit record of security events on each system, but exploiting
that information is a lot like mining low-grade ore, which has to be subjected to a laborious refining process
before you can get to the gold. Unless your needs are limited to occasional investigations, you'll want some
type of automated solution for collecting, monitoring, reporting, and archiving the Security logs that are
scattered throughout your network. There are many such tools on the market. The two most important criteria in
choosing which product to use are whether the product can meet your scalability needs and whether it provides
the ability to build sophisticated alerts and rules based on specific string positions within an event's
description. My contacts at Microsoft indicate that this capability will become even more important for future
versions of Windows.
Next >
Chapter 2 - Audit Policies and Event Viewer
|
|
The Windows Server
2008
Security Log Revealed is only available as part of the
Security Log Resource Kit.
Pick the edition that's right for you!
|