Unraveling the All New Windows Server 2008 Security Log and Audit Policy
In this Security Log Secrets real-training webinar I will show you the all new security log and audit policy structure of Windows Server 2008.
Over the past year I've been busy unravelling the new security log in 2003. All of the old 3 digit event IDs in Windows Server 2003 have been replaced with new 4 digit event IDs in 2008 so it’s time to re-learn your event IDs if you are a security log geek like me. I’ll provide you with a cross reference of Windows Server 2003 to 2008 event IDs.
In Windows Server 2008, you can now get much more granular in terms of which types of security activity Windows logs because Microsoft has introduced audit sub categories – some 50 of them. So now you can choose to manage audit policy at either the original 9 audit policies or down at the sub category level.
However, you can’t use group policy to centrally configure audit sub-categories policy like you are accustomed to with the 9 audit policies in Windows Server 2003. To enable or disable auditing at the sub category level you must use the auditpol command.
In this webinar I will show you how to use auditpol and I’ll introduce you to all 50 audit sub categories. I’ll also share my recommended audit policy to minimize useless “noise” but ensure the important events are still logged.
aproximately 30 min.
|
Understanding Authentication Events in the Windows 2003 and 2008 Security Logs
Domain controller security logs give you a centralized view of all domain account authentication for your entire network.
From your DC logs alone, you can determine when each user logged on, from which workstation and then which servers they accessed.
However, these authentication events are closely tied to Kerberos ticket operations. Also, these events change greatly between Windows 2000 and 2003 and even more radically with Windows Server 2008. Finally there's lots and lots of noise events generated by Kerberos that you can filter out if you know what to look for.
In this webinar I will take you on a deep dive into understanding authentication events generated by Kerberos and show you how to correctly interpret logs generated by Windows 2000, 2003 and 2008 domain controllers.
At the end of this webinar you will be able to:
- Pinpoint when and where users initially logon to the network
- Track them from their workstations to the servers they subsequently access
- Decode authentication failure codes
- Deduce where password guessing attacks are coming from
- Distinguish authentication events generated by Exchange and IIS applications from normal workstation logons
- Filter out Kerberos noise
aproximately 30 min.
|
Auditing File Access with the Windows Server 2008 Security Log: The Good, Bad and Ugly
In this Security Log Secret's real-training webinar I will show you how to audit file access with the Windows Server 2008 security log. I added the "Good, Bad and Ugly" bit because there are a number of gotchas you need to be aware of before launching into a file auditing effort.
I will show you how to enable auditing of just the files you need, for just the types of access and for just the right people. We'll look at auditing for failed attempts to read or modify files, tracking successful modifications of data, file creation, copying and moving.
There will also be a brief demonstration by the sponsor whose SEIM solution includes special file monitoring functionality which will be useful to compare against Windows native file auditing capabilities and gaps.
aproximately 30 min.
|
Auditing User Accounts in Active Directory and Windows Servers with the Windows 2003 & 2008 Security Logs
User accounts are the doorway into your domain and servers and if you aren’t monitoring changes to user accounts you are not secure and far from compliant. From a security perspective alone you need to have an audit trail of newly created domain user accounts and if you are following the best practice of avoiding local accounts you need to know right away when new local accounts appear on member servers. What about accounts that were disabled that are suddenly re-enabled? And then there are password reset; it’s so important to have audit trail that activity so that there’s some accountability over the help desk and others with the powerful password reset authority.
As with many areas of the security log, it’s not just a matter of know which event IDs to look for. You need to understand the how the implications are different for the same event ID when it comes from a member server as opposed to a domain controller. And of course there are the security log’s ever present caveats and “weirdnesses” which if you don’t know about you’ll waste time spinning your wheels, following wild goose chases - or worse - missing important changes.
In this webinar I will show you how to audit changes to both domain and local user accounts. You’ll find configure the right audit policy to produce the right events and you’ll learn what events to look for. I’ll make sure you know the arcane little things about these events that make all the difference in monitoring user account changes, detecting suspicious events and meeting your compliance requirements.
aproximately 30 min.
|
Detecting Suspicious Logon Attempts with the Windows 2008 and 2003 Security Logs
This is a key training topic for those of you trying to meet compliance requirements. Just about every regulation out there requires you to review failed logons but offer no guidance on what to look for.
Distinguishing malicious logon failures from innocent logon failures is challenging for a variety of reasons:
• The logon failure codes in the security log are the same whether the user mistyped his password or an attacker is trying to guess the password
• Some Windows clients and applications make more than one logon attempt per user attempt thus inflating the number of innocent logon failures
• Windows logs logon failures 2 different ways on 2 different systems
• Confusion over the meaning of logon failure codes
In this real training (TM) webinar I first acquaint you with the 2 different audit categories used for tracking logon failures – Logon/Logoff and Account Logon and show you the difference between the 2.
In this webinar I’ll be using Windows Server 2008 for demonstrations and feature its new 4 digit event IDs but I will be sure to point out the corresponding 3 digit event IDs in Windows Server 2000/2003 and note any other differences between these versions of Windows.
Next I’ll share my tips for building your alert rules and reports to try to recognize malicious logon failures that indicate an attack. We’ll use a variety of techniques – some simple and others that require some sophisticated analysis logic from your log management solution. This will be real training on a very important area of the Windows security log.
aproximately 30 min.
|
Monitoring Access Changes with the Windows 2008 and 2003 Security Logs
When were the permissions on that folder changed? Who added Bob the mailroom guy to the Purchasing Agents group?!?
I'll show you how to answer those questions using Account Management and Object Access events from the Windows security log for both Windows Server 2003 and 2008.
In this webinar I will perform live demos on both 2003 and 2008 systems. In the demos I will show you how to set up auditing to catch these access control changes and then I'll perform some example permission and group changes and show you the resulting events on both versions of Windows - as you know, the event IDs on Windows Server 2008 are totally different than 2003.
I will also make sure you understand which systems' security logs you have to review in order to make sure you don't miss any access control changes including domain groups, machine local groups and modifications to access control lists.
aproximately 30 min.
|