Top 12 Events to Monitor in the Windows Server Security Log

Webinar Registration

Last year we spent a lot of time, and rightly so, on Active Directory and domain controllers. But don’t forget your member servers. That’s where your data actually resides and bad guys can make a lot of noise once inside a member server that you won’t hear if you are only watching Active Directory. There’s a wealth of security information available in their logs. In this real training for free event I will highlight the 12 most important things to monitor in the Security Log of your Windows servers:

Audit policy changes
User right assignments
Local account authentication policy changes
Local user account changes
Local account enumeration
Logon right changes
Local group membership changes
New software installed
Failed logon attempts
Any attempt to logon as local Administrator
Firewall policy change
New device attached

Many of the above points are actually multiple event IDs. For each item I’ll show you:

How to configure Windows audit policy to make sure the event is actually logged
Examples of the event from my lab server
How to interpret the event and its fields.

There’s a lot to talk about on this last one since the Windows Security Log can be rather cryptic and noisy. Plus, there are some important things that Windows just does not log or where it leaves a lot to be desired. So we’ll discuss these gaps as well.

Netwrix is our sponsor for this training and Adam Stetson, Systems Engineer @Netwrix will briefly show you how Netwrix Auditor delivers complete visibility into Windows Server changes and reports on Windows Server configuration details, so you can easily detect deviations from a known good baseline.

This session covers a crucial aspect of comprehensive security monitoring of the overall Windows environment. While domain controllers and member servers both run Windows and have the same security log, certain events logged on a member server should be interpreted much differently than on a DC - and vice versa.

In this webinar I will focus on what makes monitoring member servers unique and share the 12 most important events that should generate real-time alerts when detected on your important member servers.

Please join us for this real training for free event.

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Organization:	Required
Country:	Required
City:	Required
State:	Required
Zip/Postal Code:	Required
Company Size:	RequiredRequired
Job Title:	RequiredRequired
Industry:	RequiredRequired
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.