Lesson 8: Monitoring Network Security Events

Administrative policies for a security plan should include policies for delegation of administrative tasks and monitoring of audit logs to detect suspicious activity. In this lesson, you learn how to monitor network security events in Windows 2000 to prevent attacks and intrusion on your network.

After this lesson, you will be able to

  • Manage and monitor network traffic
  • Manage and monitor remote access

Estimated lesson time: 45 minutes

Monitoring Your Network Security

The network security technologies you implement, such as Microsoft Proxy Server, can meet your security goals only if you plan and configure them carefully. With thorough preparation, this work can be done very successfully. However, anticipating all possible risks can be very difficult because

  • New risks develop.
  • Systems can break down and the environment in which your systems are placed changes over time.

By continually reviewing your network security strategies, you can minimize security risks. However, you also need to watch the actual network security activity to spot weaknesses before they are exploited, and to stop attempts to break security before they are effective.

To watch your network security activity, you need tools to capture the details about the activities and to analyze the data. For example, Microsoft Proxy Server includes logging at two levels: normal and verbose. Windows 2000 also has event logging, which can be enhanced by enabling security auditing. IAS, discussed later in this chapter, has extensive activity reporting options. Third-party products are also available that can help with monitoring servers and applications, including security servers and applications.


When using security servers and applications, be sure to review the documentation for the systems you use and select the logging options that best meet your requirements.

Using Event Viewer to Monitor Security

Event Viewer allows you to monitor events in your system. It maintains logs about program, security, and system events on your computer. You can use Event Viewer to view and manage the event logs, gather information about hardware and software problems, and monitor Windows 2000 security events. The Event Log service starts automatically when you start Windows 2000. All users can view application and system logs. You can also set up the Windows operating system to audit accesses on specific resources and to have them recorded in the Security Log. Table 9.4 lists various events that you can audit and the specific security monitored by particular audit event monitors.

Table 9.4 Threats Detected with Auditing

Audit eventThreat detected
Failure audit for logon/logoffRandom password hack
Success audit for logon/logoffStolen password break-in
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system eventsMisuse of privileges
Success and failure audit for file-access and object-access events. File Manager success and failure audit of read/write access by suspect users or groups for the sensitive filesImproper access to sensitive files
Success and failure audit for file-access printers and object-access events. Print Manager success and failure audit of print access by suspect users or groups for the printersImproper access to printers
Success and failure write access auditing for program files (.exe and .dll extensions). Success and failure auditing for process tracking. (Run suspect programs; examine security log for unexpected attempts to modify program files or create unexpected processes. Run only when actively monitoring the system log.)Virus outbreak

Practice: Recording Failed Logon Attempts

Security auditing is not enabled by default. You have to activate the types of auditing you require by using the Group Policy snap-in to Microsoft Management Console (MMC). You also must enable auditing for the general areas or specific items you want to track. Perform the next two exercises on the same computer.

Exercise 1: Activating Security Auditing for Failed Logon Attempts

  1. Click Start, click Run, type mmc, and then click OK.
  2. On the Console menu, click Add/Remove Snap-In, then click Add.

    The Add/Remove Snap-In dialog box appears.

  3. Click Add.

    The Add Standalone Snap-In dialog box appears.

  4. Select Group Policy, and then click Add.

    The Select Group Policy dialog box appears.

  5. Click Finish to add the local computer.

    You can also click Browse and then select another computer on your network.

  6. In the Add Standalone Snap-In dialog box, click Close.
  7. In the Add/Remove Snap-In dialog box, click OK.
  8. Under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies, click Audit Policy, as illustrated in Figure 9.26.

    Figure 9.26 Selecting audit policy for the local computer policy

  9. In the details pane, right-click the Audit Logon Events attribute, then right-click Security.

    The Local Security Policy Setting dialog box appears.

  10. Under Audit These Attempts, select Failure, and then click OK.

Viewing the Security Event Log

You can specify that an audit entry be written to the security event log whenever certain actions are performed or files are accessed. The audit entry shows the action performed, the user who performed it, and the date and time of the action. You can audit both successful and failed attempts at actions, so the audit trail can show who performed actions on the network and who tried to perform actions that are not permitted. You can view the security log in the Event Viewer.

Recording security events is a form of intrusion detection through auditing. Auditing and security logging of network activity are important safeguards. Windows 2000 enables you to monitor a wide variety of events that can be used to track the activities of an intruder.

The security log records security events, such as valid and invalid logon attempts, and events related to resource use, such as creating, opening, or deleting files or other objects. The security log helps track changes to the security system and identifies any possible breaches of security. For example, attempts to log on to the system might be recorded in the security log, if logon and logoff auditing are enabled. If the security log is examined regularly, it makes it possible to detect some types of attacks, such as password attacks, before they succeed. After a break-in, the security log can help you determine how the intruder entered and what he or she did. The log file entries can serve as legal evidence after the intruder has been identified.


For the highest level of security, monitor the log files constantly.

Practice: Viewing the Security Log

Event logs consist of a header, a description of the event (based on the event type), and, optionally, additional data that you may want recorded about a specific event. Most security log entries consist of the header and a description. Event Viewer displays events from each log separately. Each line shows information about a single event, including date, time, source, event type, category, event ID, user account, and computer name. In this practice, will view the security event log to detect attempted unauthorized network access. To complete this practice, you must have performed the steps in the Exercise of the previous practice, "Recording Failed Logon Attempts."

Exercise 1: Viewing the Security Event Log

  1. Attempt to log on to the Windows 2000 computer on which you activated security auditing for failed logon attempts using an invalid user name and password.
  2. After failing to log on, use a valid user name and password to log on to Windows 2000.
  3. Click Start, point to Programs, point to Administrative Tools, then click Event Viewer.

    Event Viewer opens.

  4. Click Security Log in the left pane.

    Notice that the failed logon attempt is shown in the right pane of the Event Viewer, as illustrated in Figure 9.27.

    Figure 9.27 Invalid logon entry made in the security event log

  5. Double-click the Failure Audit item in the event view to open the Event Properties window.

    Notice that the description section tells you the reason for the failure and the user name entered, but not the password entered.

  6. Click OK to close the Event Properties window.

System Monitor

System Monitor is a tool that can be used to track system resources usage. System Monitor can be used to test an application's usage of system resources. Common objects that a user can log are memory, CPU, network, and disk activity. Some additional counters, although not performance related, provide useful information about server security. These include

  • Server\Errors Access Permissions
  • Server\Errors Granted Access
  • Server\Errors Logon
  • IIS Security

Follow these steps to monitor security events using System Monitor:

  1. Click Start, point to Programs, point to Administrative Tools, and then click Performance.

    System Monitor opens in the MMC.

  2. In the right pane, click Add.

    The Add Counters dialog box appears, as illustrated in Figure 9.28.

    Figure 9.28 Adding the Error Logon counter

  3. In the Performance Object drop-down list box, select Server.
  4. Click Select Counters From List.
  5. In the Counters list, select a counter, and then click Add.
  6. Click Close to close the Add Counters dialog box.

Monitoring Security Overhead

Security is achieved only at some cost in performance. Measuring the performance overhead of a security strategy is not simply a matter of monitoring a separate process or thread. The features of the Windows 2000 security model and other security services are integrated into several different operating system services. You cannot monitor security features separately from other aspects of the services. Instead, the most common way to measure security overhead is to run tests comparing server performance with and without a security feature. The tests should be run with fixed workloads and a fixed server configuration so that the security feature is the only variable. During the tests, you should measure

  • Processor activity and the processor queue
  • Physical memory used
  • Network traffic
  • Latency and delays

Lesson Summary

You should monitor network security activity to identify weaknesses before they are exploited. You can use Event Viewer to view and manage Windows 2000 security events. The audit entry shows the action performed, the user who performed it, and the date and time of the action. Both System Monitor and Network Monitor can provide useful information about server security. The IPSec Monitor can confirm whether your secured communications are successful. In addition, you can use Routing and Remote Access to monitor remote access traffic in Windows 2000, and enable logging to review this data.

MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net