Exam Objectives Fast Track

Auditing for Increased Security

  • The general concept of not relying or depending on a single way to secure your infrastructure or systems (such as having a firewall as the only means of protection) is called defense in depth.

  • Auditing is the process of analyzing gathered data for the purpose or intent of determining a possible problem or, in the security arena, an attack or exploit. Auditing is best used on any system that can generate some type of log file that you can save, refer to, and analyze. Auditing is the process of logging and analyzing events that occur to proactively find and eliminate problems such as attacks, hacking, or mischief.

  • An audit can be for either success or failure of a specific event. Do not just set up failure-based auditing; you should have learned from reading this chapter that is it more important to first understand what you are auditing, because you could be looking for a success as well-such as a successful logon after a series of failures. This could constitute not only a password-cracking attempt but a possible breach of your systems as well.

Auditing Windows 2000

  • Windows 2000 comes with the built-in ability to perform system auditing. In the Local Security Policy console, you can choose from many categories, such as auditing for object access of logon events.

  • Quite a few categories are available to you when you're working with Local Security Policy. You must intimately know all eight of them and their uses for the exam. They are logon events, account logon events, object access, directory service access, privilege use, process tracking, system events, and policy change.

  • You can audit Windows 2000 at the local level (with Local Security Policy) or using Group Policy at the site, domain, or OU level. You will find the audit policy settings in the actual GPO that you create.

Auditing IIS

  • Auditing IIS is critical to any system administrator responsible for managing company Web servers. You should audit, monitor, and analyze IIS just the same as Windows 2000 Server.

  • IIS creates log files that track connection attempts to Web (HTTP), FTP, NNTP, and SMTP services. Each of these services (which can run using IIS) maintains its own log files. You can find these log files in the %WinDir%\System32\Logfiles folder.

  • When you log data with IIS, you can log to either W3C Extended format or to ODBC-compliant databases such as SQL Server 2000.

Windows Auditing Tools

  • Dumpel.exe is a command-line tool used to parse Event Logs.

  • Dumpel is used to dump an Event Log into a tab-separated text file. This file can then be imported into an Excel spreadsheet (because it is tab separated) and/or a database such as Access for storage or future analysis.

  • EventCombMT is the GUI-based tool that will allow you to manage the parsing of many Event Logs from your systems that will be dumped to a text-based file for analysis. This tool allows you to specifically search for event IDs by ID number or based on many other criteria.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net