Chapter 1
Getting Started
This book is intended for any Information Technology (IT)
or Information Security professional who needs to understand the cryptic
Windows® Security log. The authors have spent countless hours experimenting
with Windows audit policy and the Security log, and have carefully documented
each event ID in the log.
This
book is a guided tour of Windows audit policy and the Security log. We will
introduce you to each of the nine Windows audit policies and the corresponding Security
log event IDs. You will learn what each category of the log has to offer and
how to leverage it for maximum value. We will also discuss the problem of noise—unwanted,
useless log events—and what you can do to minimize it.
First, the Bad News…
You can glean a wealth of information from the Windows
operating system Security log, but the mechanism isn't without problems. If
you’ve spent any time working with the Security log, you’ve likely realized
that each Windows computer—including each domain controller (DC)—has a discrete
Security log. Each DC logs security events according to the activity that it observes
but doesn’t replicate this information to the other DCs in the domain. Windows
has no native capability to centrally collect, analyze, monitor, report, and
archive the many Security logs that exist throughout your network.
Another problem is that the log's event descriptions and
codes are cryptic and often poorly documented. As if that weren’t bad enough,
Microsoft eliminates, merges, and changes the meaning of event IDs from one
version of Windows to the next. In addition, the order of
strings in a given event’s description sometimes changes between Windows
versions. These changes can really throw a wrench in the works when you upgrade
systems after having set up reports or rules that are based on an event ID or
the position of a string.
Now, the Good News
In this book, we endeavor to document the Security log
changes and give you tips for effectively managing them. We’ll provide some
practical guidance as to which events and subcategories you should audit. And we’ll
help fill in the gaps in the security settings and log information.
In Chapter 2, we’ll introduce you to the Windows
audit policy (including audit policy categories and policy settings), the Microsoft
Management Console (MMC) Event Viewer, and the format
of Security log events. We’ll explain how you can use the new policy subcategories
to fine-tune your audit policy and to make sure that you’re catching the events
that you want. We’ll tell you about a couple of new command-line tools that are
essential for configuring and understanding auditing. And we’ll introduce you
to event subscriptions and alerting. Even if you're an experienced Windows
Server administrator, we recommend that you read—or at least scan—this chapter,
which includes valuable nuggets of information that might well be new to you.
Chapter 3 will introduce Windows authentication and
logon (concepts that serve as a foundation for subsequent chapters) and will
delve into the closely related Account Logon and Logon/Logoff audit policy categories.
Chapter 4 will discuss how Windows logs authentication activity by using
Account Logon events, and Chapter 5 will deal with logon events in the
Logon/Logoff category.
In Chapter 6, we’ll examine the Detailed Tracking
category, and we’ll show you how to track programs that users execute. In
Chapter
7
, you’ll find out how to use the Object Access category to monitor
file-system activity and access attempts on other types of objects.
Chapter
8
will show you how to audit changes to users, groups, and computer
accounts by tracking events in the Account Management category, and
Chapter
9
will reveal how to use events in the Directory Service Access category to
track changes to Active Directory (AD) objects such as organizational units
(OUs) and Group Policy objects (GPOs).
Chapters
10, 11, and 12
will deal with the Privilege Use, Policy Change, and System
categories, respectively. And in Chapter 13, we’ll give you some pointers
to manage event logs from multiple computers on an enterprise system.
Bottom Line
Windows can generate a detailed audit record of security
events on each system. But exploiting that information is a lot like mining
low-grade ore: You must carry out a laborious refining process before you can
get to the gold.
Unless your needs are limited to occasional
investigations, you'll want some type of automated solution for collecting,
monitoring, reporting, and archiving the Security logs that are scattered
throughout your network. Many such tools are on the market. The two most
important criteria in choosing which product to use are 1) whether the product
can meet your scalability needs and 2) whether it provides the ability to build
sophisticated alerts and rules based on specific string positions within an
event’s description. Our contacts at Microsoft indicate that this latter capability
will become even more important for future versions of Windows.
Next Chapter
Back to top
Supercharger Enterprise