Domain controllers and member servers are obviously critical to security log monitoring but there are many things you can only track by monitoring end-user workstation security logs. In this webinar, I will explain why the Windows network architecture makes workstation security log monitoring so important. And remote and work-from-home only makes workstation security more important. I'll show you important security activities that you can only detect from Workstation logs. This includes answering questions like:
- When was the user physically present at the computer?
- What programs did the user execute?
- What is the exact reason for logon failure?
- Who accessed the laptop while it was disconnected from the network?
- Is anyone trying to break into this computer?
I’ll show you the events that answer those questions and more, as well as explain why you can only find these events on the workstation security log. Then I’ll take the discussion further and tackle the issue of whether workstation logs should be centrally collected or is there value in enabling auditing on workstations and building up an audit trail of this activity so that it will (hopefully) be there if needed in the future.
Most attacks begin with an end-user at their workstation. Only monitoring servers and domain controllers means giving up the opportunity to detect and disrupt attackers earlier in the attack cycle and hopefully before real damage is done.
Please join me for this real training for free session. Our sponsor, LOGbinder, will briefly demonstrate how Supercharger for Windows Event Collection can help you centralize workstation logs without the burden of agents or remote polling.
This will be a technical, real training for free session so don’t miss it! Please register now!