Administrative policies for a security plan should include policies for delegation of administrative tasks and monitoring of audit logs to detect suspicious activity. In this lesson, you learn how to monitor network security events in Windows 2000 to prevent attacks and intrusion on your network.
After this lesson, you will be able to
Estimated lesson time: 45 minutes
The network security technologies you implement, such as Microsoft Proxy Server, can meet your security goals only if you plan and configure them carefully. With thorough preparation, this work can be done very successfully. However, anticipating all possible risks can be very difficult because
By continually reviewing your network security strategies, you can minimize security risks. However, you also need to watch the actual network security activity to spot weaknesses before they are exploited, and to stop attempts to break security before they are effective.
To watch your network security activity, you need tools to capture the details about the activities and to analyze the data. For example, Microsoft Proxy Server includes logging at two levels: normal and verbose. Windows 2000 also has event logging, which can be enhanced by enabling security auditing. IAS, discussed later in this chapter, has extensive activity reporting options. Third-party products are also available that can help with monitoring servers and applications, including security servers and applications.
NOTE
When using security servers and applications, be sure to review the documentation for the systems you use and select the logging options that best meet your requirements.
Event Viewer allows you to monitor events in your system. It maintains logs about program, security, and system events on your computer. You can use Event Viewer to view and manage the event logs, gather information about hardware and software problems, and monitor Windows 2000 security events. The Event Log service starts automatically when you start Windows 2000. All users can view application and system logs. You can also set up the Windows operating system to audit accesses on specific resources and to have them recorded in the Security Log. Table 9.4 lists various events that you can audit and the specific security monitored by particular audit event monitors.
Table 9.4 Threats Detected with Auditing
Audit event | Threat detected |
---|---|
Failure audit for logon/logoff | Random password hack |
Success audit for logon/logoff | Stolen password break-in |
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events | Misuse of privileges |
Success and failure audit for file-access and object-access events. File Manager success and failure audit of read/write access by suspect users or groups for the sensitive files | Improper access to sensitive files |
Success and failure audit for file-access printers and object-access events. Print Manager success and failure audit of print access by suspect users or groups for the printers | Improper access to printers |
Success and failure write access auditing for program files (.exe and .dll extensions). Success and failure auditing for process tracking. (Run suspect programs; examine security log for unexpected attempts to modify program files or create unexpected processes. Run only when actively monitoring the system log.) | Virus outbreak |
Security auditing is not enabled by default. You have to activate the types of auditing you require by using the Group Policy snap-in to Microsoft Management Console (MMC). You also must enable auditing for the general areas or specific items you want to track. Perform the next two exercises on the same computer.
The Add/Remove Snap-In dialog box appears.
The Add Standalone Snap-In dialog box appears.
The Select Group Policy dialog box appears.
You can also click Browse and then select another computer on your network.
Figure 9.26 Selecting audit policy for the local computer policy
The Local Security Policy Setting dialog box appears.
You can specify that an audit entry be written to the security event log whenever certain actions are performed or files are accessed. The audit entry shows the action performed, the user who performed it, and the date and time of the action. You can audit both successful and failed attempts at actions, so the audit trail can show who performed actions on the network and who tried to perform actions that are not permitted. You can view the security log in the Event Viewer.
Recording security events is a form of intrusion detection through auditing. Auditing and security logging of network activity are important safeguards. Windows 2000 enables you to monitor a wide variety of events that can be used to track the activities of an intruder.
The security log records security events, such as valid and invalid logon attempts, and events related to resource use, such as creating, opening, or deleting files or other objects. The security log helps track changes to the security system and identifies any possible breaches of security. For example, attempts to log on to the system might be recorded in the security log, if logon and logoff auditing are enabled. If the security log is examined regularly, it makes it possible to detect some types of attacks, such as password attacks, before they succeed. After a break-in, the security log can help you determine how the intruder entered and what he or she did. The log file entries can serve as legal evidence after the intruder has been identified.
NOTE
For the highest level of security, monitor the log files constantly.
Event logs consist of a header, a description of the event (based on the event type), and, optionally, additional data that you may want recorded about a specific event. Most security log entries consist of the header and a description. Event Viewer displays events from each log separately. Each line shows information about a single event, including date, time, source, event type, category, event ID, user account, and computer name. In this practice, will view the security event log to detect attempted unauthorized network access. To complete this practice, you must have performed the steps in the Exercise of the previous practice, "Recording Failed Logon Attempts."
Event Viewer opens.
Notice that the failed logon attempt is shown in the right pane of the Event Viewer, as illustrated in Figure 9.27.
Figure 9.27 Invalid logon entry made in the security event log
Notice that the description section tells you the reason for the failure and the user name entered, but not the password entered.
System Monitor is a tool that can be used to track system resources usage. System Monitor can be used to test an application's usage of system resources. Common objects that a user can log are memory, CPU, network, and disk activity. Some additional counters, although not performance related, provide useful information about server security. These include
Follow these steps to monitor security events using System Monitor:
System Monitor opens in the MMC.
The Add Counters dialog box appears, as illustrated in Figure 9.28.
Figure 9.28 Adding the Error Logon counter
Security is achieved only at some cost in performance. Measuring the performance overhead of a security strategy is not simply a matter of monitoring a separate process or thread. The features of the Windows 2000 security model and other security services are integrated into several different operating system services. You cannot monitor security features separately from other aspects of the services. Instead, the most common way to measure security overhead is to run tests comparing server performance with and without a security feature. The tests should be run with fixed workloads and a fixed server configuration so that the security feature is the only variable. During the tests, you should measure
You should monitor network security activity to identify weaknesses before they are exploited. You can use Event Viewer to view and manage Windows 2000 security events. The audit entry shows the action performed, the user who performed it, and the date and time of the action. Both System Monitor and Network Monitor can provide useful information about server security. The IPSec Monitor can confirm whether your secured communications are successful. In addition, you can use Routing and Remote Access to monitor remote access traffic in Windows 2000, and enable logging to review this data.