Lab 11.1: Designing a System Monitoring and Security Auditing Strategy

After completing this lab, you’ll be able to

• Design a system monitoring strategy
• Design a security auditing strategy

About This Lab

In this lab, you’ll design a monitoring strategy that uses the performance objects and counters in Windows 2000 and IIS. You’ll also design an auditing strategy that uses events in Windows 2000 and IIS to log activity related to security and that uses IIS logging to log information specific to a Web site.

Before You Begin

Before you begin this lab, you must be able to

• Use performance objects and counters in Windows 2000, IIS, and other applications to monitor performance on Windows 2000 Server computers
• Use events in Windows 2000, IIS, and other applications to log events that occur on Windows 2000 Server computers
• Use IIS logging to log the activity of a Web site

Scenario: Northwind Traders Web Site

Northwind Traders maintains a small Web site that includes IIS on a front-end cluster and SQL Server on the back-end cluster. The site uses ASP applications on the front-end cluster to access data on the back-end cluster. The site supports Anonymous access for all Internet users. The front-end cluster includes three Windows 2000 Server computers, and the back-end cluster includes two Windows 2000 Server computers, as shown in Figure 11.12. Two firewalls are used to create a perimeter network that contains both clusters.

As the network administrator for this site, you must develop a monitoring and auditing strategy that uses Windows 2000 performance counters and events and IIS logging to provide performance and security data about your system.

Figure 11.12 - Northwind Traders front-end and back-end clusters

Exercise 1: Designing a System Monitoring Strategy

In this exercise, you’ll develop a system monitoring strategy that uses the performance objects and counters in Windows 2000 and IIS. Currently, you plan to monitor the performance only on the three IIS computers. Your monitoring strategy will be the same for all three computers. You want to look specifically at each system’s memory, processors, network I/O, and Web applications. Because users will be accessing the site anonymously, you won’t be monitoring security overhead at this time.

1. The first step in your monitoring strategy is to collect performance data about memory. What five components of memory should you monitor?
2. Why should you monitor memory before monitoring any other components?
3. Next, you want to monitor the processors in your system. You plan to collect information about processor activity, IIS service connections, and IIS threads. What types of information should you collect about each of these categories?
4. The next step in your strategy is to collect data about network I/O. Specifically, you plan to collect data about transmission rates and TCP connections. What type of information should you collect about transmission rates and TCP connections?
5. Finally, you plan to monitor your Web applications. What components should you monitor?
6. Suppose that, during your analysis of the data, you discover periods of long, sustained queue lengths. What might be causing these long queue lengths?

Exercise 2: Designing a Security Auditing Strategy

In this exercise, you’ll design a strategy to track the activities of users and services. You’ll use two methods to log information about this activity: logging Windows 2000 security events (using the Security log) and logging site activity (using IIS logging).

1. The first step in your strategy is to configure audit policies that allow you to log specific events. How do you configure audit policies?
2. You’re specifically concerned with auditing access to certain directories and files. You want to log events about successful and failed attempts to access resources. Which audit policy or policies should you configure and how should you configure that policy?
3. Once you’ve configured Group Policy, you decide that you want to audit the Inetpub\Scripts directory. What step do you need to take to configure auditing on that directory?
4. Once you’ve configured auditing on the Inetpub\Scripts directory, you want to be able to view the Security log regularly to view any events that might have been generated. How do you view the Security log?
5. In addition to auditing events, you want to log activity about your Web site. Specifically, you want to log date, time, client IP address, and username for each user who logs on to the site. At this time you don’t want to log any other information about the site because you want to limit the size of your log files. How can you log this information?
6. Once you’ve logged data about your users, how can you view that data?
7. What log file formats does IIS logging support?
8. You decide that although you want to log activity to your Web site, you don’t want to log activity on the Images directory, which is a part of the site. How do you disable logging on the Images directory?