Auditing Events

 < Day Day Up > 



Auditing is a necessary part of network administration. By reviewing reports and event logs, you can track usage patterns, security problems, and network traffic trends. Beware of the impulse to audit everything, however. The more events you audit, the bigger the logs. Reviewing huge event logs is a painful chore, and eventually no one looks at them anymore. Therefore, it’s critical to decide on an auditing policy that protects your network without creating a large administrative burden. Also bear in mind that every audited event results in a small increase in performance overhead.

Pre-Defined Performance and Usage Reports

To set up Windows Small Business Server auditing, complete the following steps:

  1. Select Server Management from the Start menu. Select Monitoring and Reporting in the console tree, and then click Set Up Monitoring Reports And Alerts to start the Monitoring Configuration Wizard.

  2. On the Reporting Options page, make report choices.

    • Performance Report After the wizard completes, the performance report is viewable (by a member of the Domain Admins group) in Server Management. Select the option, and receive a daily report in e-mail as well. Performance reports include information about the server specifications, the processes being run, and any critical errors in critical logs.

    • Usage Report The Usage Report includes information about Internet, fax, and e-mail use. You can select just the option to view the report in Server Management, or you can also specify that you want to receive the report in e-mail.

  3. If you chose an e-mail option, supply the destination e-mail address (or addresses) on the E-mail Options page.

  4. On the Business Owner Usage Report, which is perhaps not the most unambiguous title, you can specify users (other than members of the Domain Admins group) who should receive reports. These users receive an e-mail telling them where to view the reports on the intranet.

  5. On the Alerts page, click the option to receive notification of performance alerts by e-mail. Because these alerts warn of system problems that can be serious, someone with an administrative account should receive them. Supply one or more destination e-mail addresses.

  6. The final page of the wizard summarizes the choices made. Click Finish to set up the reports.

    The wizard performs the configuration, and a dialog box (Figure 10-32) keeps you apprised of its progress.

click to expand
Figure 10-32: The Monitoring Configuration Wizard finishes setup.

Note 

Neither Performance nor Usage Reports are available instantly. The first Usage Report can take up to 24 hours to assemble and Performance data is gathered just once per hour.

Customizing Auditing

Every audited event tells you something, but it’s not always something you need to know. For example, auditing successful logons and logoffs might reveal the use of a stolen password, or it might just produce countless pages showing that your duly authorized users are logging on and off as expected. Auditing logon failures, however, can definitely be rewarding when someone is trying a random password hack.

Table 10-9 lists the categories of events that can be audited.

Table 10-9: Auditing categories

Event Category

Activated When

Account logon events

A domain controller receives a logon request

Account management

A user account or group is created or changed

Directory service access

An Active Directory object is accessed

Logon events

A user logs on or logs off

Object access

An object is accessed

Policy change

A policy affecting security, user rights, or auditing is modified

Privilege use

A user right is used to perform an action

Process tracking

An application executes an action that is being tracked

System events

A computer is rebooted or shut down, or another event occurs that affects security

To change the settings on auditing events, complete the following steps:

  1. Select Group Policy Management from the Administrative Tools menu.

  2. In the console tree under Group Policy Objects, right-click Default Domain Controllers Policy and select Edit.

  3. In the console tree of the Group Policy Object Editor, expand Computer Configuration, Windows Settings, Security Settings, and Local Policies to reach Audit Policy (Figure 10-33).

    click to expand
    Figure 10-33: Auditing categories in the GPO for domain controllers.

  4. Double-click an auditing category in the details pane to change a policy definition. Click OK when finished.

Viewing Event Logs

Event logs must be viewed with regularity for auditing to be useful. To view the security log, open Event Viewer from the Administrative Tools folder and then click Security. Double-click any entry to see more information about it. The security entries in Figure 10-34 occurred over a couple of minutes because the object being audited was set to audit successful events. Of course, you’ll generally learn more from auditing failed events than from auditing successful ones, but this does demonstrate the need to choose your auditing battles carefully.

click to expand
Figure 10-34: Viewing the security log.

Searching Event Logs

No matter how selective you are, the event logs mix all sorts of information together, making searches for specific information difficult. To search for a specific type of event, select the log in Event Viewer, and choose Filter from the View menu. In the Properties dialog box, shown in Figure 10-35, select the type or types of events you want returned. Table 10-10 describes the filtering options in the Properties dialog box.

click to expand
Figure 10-35: Filtering for specific types of events in a log.

Table 10-10: Options for filtering event logs

Option

Use to Search or Filter for

Information

Notification that some major operation has been performed successfully.

Warning

Notification of some problem or potential problem. Warnings might or might not be significant. For example, an “unexpected” reboot of the server with the reason “other” generates a warning.

Error

Notification of an important event. Errors signify a loss of data or a loss of function. For example, failure of a service to start during bootup generates an error.

Success Audit

Events audited for success.

Failure Audit

Events audited for failure.

Event Source

A source for an event, such as a system component or a program.

Category

Events by category, such as logon/logoff, policy change, or process tracking.

Event ID

The specific ID number assigned to each logged event.

User

A specific user.

Computer

A specific computer.

From

Events after a specific date. The default is the first date in the log. You can click the drop-down box to select events on a specific date.

To

Events before a specific date. The default is the last date in the file.

Setting the Size of Event Logs

When an event log is full, a dialog box pops up to notify you. If this happens often, you might want to reduce the number of items being reported or increase the size of the log. To set event log options, complete the following steps:

  1. Select Event Viewer from the Administrative Tools menu.

  2. Right-click the log you want to configure and choose Properties.

  3. On the General tab, select the options you want. Under When Maximum Log Size Is Reached, there are three options:

    • If you don’t archive this log, select Overwrite Events As Needed.

    • If you archive this log at regular intervals, you can select the Overwrite Events Older Than option. Fill in the appropriate number of days.

    • Do Not Overwrite Events, the last option, means that the log must be cleared manually. When the maximum log size is reached, new events are simply not recorded.

  4. Click OK when you’re finished.

Caution 

Caution is in order if you primarily log failure attempts. It’s possible that users persistently trying to access a resource that they’re not authorized to use could produce enough failure audits to fill the log and prevent the server from recording any more audit events.



 < Day Day Up > 



Microsoft Windows Small Business Server 2003 Administrator's Companion
Microsoft Windows Small Business Server 2003 Administrators Companion (Pro-Administrators Companion)
ISBN: 0735620202
EAN: 2147483647
Year: 2004
Pages: 224

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net