Auditing for Increased Security

You will need to audit your systems for enhanced and increased security. When the people at Microsoft presented this objective, they were most likely thinking about building your security strategy with defense in depth. This strategy is outlined as a way to avoid depending on a single protective measure deployed on your network. You are not secure by simply implementing a firewall on your Internet connection. You should also implement other security measures, such as an intrusion detection system (IDS) and biometrics for access control.

It is essential to understand that you need many levels (hence, defense in depth) of security to be truly safe from potential threats. A defense-in-depth matrix with auditing included could look something like Figure 10.1.

Figure 10.1: Defense in Depth

So now that you know why auditing is so important, you could probably benefit from a good definition of the term auditing. Auditing is the process of analyzing gathered data for the purpose or intent of determining a possible problem or, in the security arena, an attack or exploit. Auditing is best used on any system that can generate some type of log file that you can save, refer to, and analyze, especially over time.

Your security strategy should implement a strong policy on auditing systems. If you are strapped for time, you should at least implement a policy to audit your most critical systems or systems that are facing the Internet. This way, you can be somewhat informed of possible attack on systems that if rendered inoperable, could put you out of business.

You should try to determine the level of auditing you need to deploy on your systems, because excessive auditing will generate too many events to view and analyze.

When you perform auditing, you can have one of two categories:

• Success  A success event indicates that a user has successfully gained access to a resource.

• Failure  A failure event indicates that a user has attempted to gain access to a resource but failed.

These two categories determine many things. If you monitor both, you can find patterns, such as a series of logon failures, which could indicate that someone is trying to log on to a system and failing each time. One of the problems revolving around auditing such as this is, if you have an administrator who forgot a password or has the Cap Lock key on while trying to log on, the administrator could generate a false positive. This result would show up in the Event Log. If you have a series of failures followed by a success, you can see that either the administrator figured out the error or, if it is an attack, the attacker was able to breach the system. This is how both success and failure can be seen working in conjunction with one another.

When you are preparing to audit your systems, you really need to do some analysis before the analysis! Do some research and think about what you are trying to determine using auditing. It is not wise to simply turn on all auditable events without knowing what it is you are enabling. Excessive auditing could actually cause you to lose some logged events if you have the log set to overwrite events as needed. Excessive logging could push an event you might need to see out of the readable log you were going to analyze.

We discuss ways that you can stop this activity in this chapter, but for now remember that if you blindly turn on auditing without thinking about what you want to accomplish, you could actually lose data. There are ways to prevent that from happening. One is to adjust the log size so that it will hold more events. Another way is to set it so that you will only be able to clear the events manually so you don't lose data. Both methods are explained in more detail later in the chapter. You could also use add-on products of third-party tools to accumulate your events in one centralized location, such as Microsoft Operations Manager (MOM), which can help you to gather, filter, and analyze massive amounts of events on all your systems.