Identifying Security Risks

A network's security is only as good as the security mechanisms put into placeand the review and identification process. Strong security entails employing Windows Server 2003 security measures such as authentication, auditing, and authorization controls, but it also means that security information is properly and promptly reviewed. Information that can be reviewed includes, but isn't limited to, Event Viewer logs, service-specific logs, application logs, and performance data.

All the security information for Windows Server 2003 can be logged, but without a formal review and identification process, the information is useless. Also, security-related information can be complex and unwieldy depending on what information is being recorded. For this reason, manually reviewing the security information may be tedious but can prevent system or network compromise.

The formal review and identification process should be performed daily. Any identified activity that is suspicious or could be potentially risky should be reported and dealt with appropriately. For instance, an administrator reviewing a particular security log may run across some data that may alert him of suspicious activity. This incident would then be reported to the security administrator to take the appropriate action. Whatever the course of action may be in the organization, there should be points of escalation and remediation.