Chapter 10: Configuring and Using Auditing and the Event Logs

Previous page
Table of content
Next page

Introduction

For the new Microsoft Security exam, you will be heavily tested on auditing techniques and the tools you have available for auditing a system. Once you pass the exam, you can refer back to this guide to help you find specific auditable events and review how to use the tools and procedures listed within to extract and analyze the data.

Auditing is something every security professional should take very seriously. It is very difficult to find a "needle in a haystack," and that's the mentality you should bring to the table when learning to perform system audits. Security auditing is tested very heavily on the Microsoft Security exam, so not only do you need to know how to do audits in the field, you need to master the testable auditing-based objectives for the exam.

Attack and exploitation of your systems are inevitable. Unfortunately, you cannot close every entrance to your network-if you could, you would not be able to send e-mail, browse the Web, or share files with a remote location. Because of the dynamic nature of networking, you can't close every opening, so you need to protect the openings that you do make. If your systems are attacked, you need to know who, when, how, and where. Other factors such as why can be deduced later. More important is nailing the cracker to stop the attack that is occurring or could possibly occur. You might discover that the attacker is merely checking for possible holes in your network before actually making an attack and causing a problem. This is the proactive approach to systems auditing.

Understanding the auditing process and intrusion detection in general will help you determine who is (or was) responsible for an attack and when the attack was carried out. You can use the techniques outlined in this chapter to help find patterns of attack, the time you were attacked, how the attack (such as a logon attempt) was carried out, and how to log that attack and analyze it. We also look at how to analyze the Event Viewer (to which the events are logged) as well as to look at Internet Information Services (IIS) auditing and some other tools that do not come with Windows 2000 (but that can easily be obtained) for Event Log filtering and analysis.

Exam Warning 

Auditing takes up quite a few questions on the exam. Make sure that you work through all the exercises in this chapter because you need to understand the concepts found within them.


Previous page
Table of content
Next page
MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162
Authors: Will Schmied, Thomas W. Shinder
BUY ON AMAZON
Project Management JumpStart
A+ Fast Pass
Java for RPG Programmers, 2nd Edition
Java How to Program (6th Edition) (How to Program (Deitel))
InDesign Type: Professional Typography with Adobe InDesign CS2
Python Programming for the Absolute Beginner, 3rd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy