Top 12 Events to Monitor in the Windows Server Security Log

Webinar Registration

Last year we spent a lot of time, and rightly so, on Active Directory and domain controllers. But don’t forget your member servers. That’s where your data actually resides and bad guys can make a lot of noise once inside a member server that you won’t hear if you are only watching Active Directory. There’s a wealth of security information available in their logs. In this real training for free event I will highlight the 12 most important things to monitor in the Security Log of your Windows servers:

  1. Audit policy changes
  2. User right assignments
  3. Local account authentication policy changes
  4. Local user account changes
  5. Local account enumeration
  6. Logon right changes
  7. Local group membership changes
  8. New software installed
  9. Failed logon attempts
  10. Any attempt to logon as local Administrator
  11. Firewall policy change
  12. New device attached

Many of the above points are actually multiple event IDs. For each item I’ll show you:

  1. How to configure Windows audit policy to make sure the event is actually logged
  2. Examples of the event from my lab server
  3. How to interpret the event and its fields.

There’s a lot to talk about on this last one since the Windows Security Log can be rather cryptic and noisy. Plus, there are some important things that Windows just does not log or where it leaves a lot to be desired. So we’ll discuss these gaps as well.

Netwrix is our sponsor for this training and Adam Stetson, Systems Engineer @Netwrix will briefly show you how Netwrix Auditor delivers complete visibility into Windows Server changes and reports on Windows Server configuration details, so you can easily detect deviations from a known good baseline.

This session covers a crucial aspect of comprehensive security monitoring of the overall Windows environment. While domain controllers and member servers both run Windows and have the same security log, certain events logged on a member server should be interpreted much differently than on a DC - and vice versa.

In this webinar I will focus on what makes monitoring member servers unique and share the 12 most important events that should generate real-time alerts when detected on your important member servers.

Please join us for this real training for free event.

First Name:   
Last Name:   
Work Email:  
Zip/Postal Code:  
Company Size:
Job Title:

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources