TechNet Home > TechNet Security > Library > Auditing and Monitoring

Security Monitoring and Attack Detection Planning Guide

Chapter 2 - Approaches to Security Monitoring

Updated: October 16, 2007
On This Page
IntroductionIntroduction
Implement Security MonitoringImplement Security Monitoring
Correlate Security Audit EventsCorrelate Security Audit Events
Independent Software Vendor SolutionsIndependent Software Vendor Solutions

Introduction

No company would contemplate conducting business from premises that did not have adequate physical security, such as locks, alarm systems, cameras, fencing, or even security guards. Yet many companies are only becoming aware of the necessity for equal security measures to protect network assets from both external attack and internal intrusion.

Security systems such as cameras and motion detectors are useful ways of detecting attempts to enter a building or a restricted area. However, organizations also need to implement systems that monitor network assets and detect attackers. Hence security monitoring is an important component of a successful network security strategy.

In August 2004, the United States Secret Service, in conjunction with Carnegie Mellon University Software Engineering Institute's CERT Coordination Center, released a white paper that documents instances in which institutions have been vulnerable to massive fraud committed by their own internal users. For more information, see the "Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector" white paper at http://www.secretservice.gov/ntac/its_report_040820.pdf. This report is in English.

The 2004 E-Crime survey documents further evidence of this threat. The respondents to this survey included government and organizations in the information, telecommunications, banking, and financial sectors. The survey revealed that 43 percent of respondents detected an increase in electronic crime and data intrusions and that 70 percent reported at least one electronic crime in the previous year. The total cost of electronic crimes for all respondents exceeded 600 million U.S. dollars. For more information about the 2004 E-Crime survey, see the 2004 E-Crime Watch Survey Shows Significant Increase in Electronic Crimes press release at http://www.csoonline.com/releases/ecrimewatch04.pdf.

Continued increases in business regulations and a greater awareness of the threats that external and internal attackers present has resulted in increased demands to implement effective security monitoring. To plan effective security monitoring, you must know what technologies are available to implement your solution. This chapter describes the Microsoft technologies that enable security monitoring and correlate security logs for analysis and archival.

Note:  This document distinguishes between internal and external attacks. An internal attack is one that an employee, usually an administrator, carries out. An external attack comes from outside the organization. Although the increasing prevalence of technologies such as wireless networking makes it possible for external attackers to mount attacks that originate inside the network perimeter, these are still considered external attacks.

Implement Security Monitoring

You can record security events using the built-in security event log file that is included in all versions of Microsoft® Windows® from Microsoft Windows NT® version 3.1 and later. This log file provides the basis for security monitoring on Windows-based networks. Additional utilities and programs can correlate these recorded events into a central repository.

The security event log file uses a custom database format to record security monitoring data. You can read parts of this file, such as computer names and IP addresses, in a text editor. However, to read all the information in the security logs requires a suitable program, such as the Event Viewer console. The security event log file (SecEvent.evt) resides in the %systemroot%\System32\config directory. Unlike application and system logs, default NTFS file system permissions only allow members of the Administrators group and the system account to access this file.

The security event log records two types of event: success audits and failure audits. A success audit event indicates that an operation that a user, service, or program performed completed successfully. A failure audit indicates that a similar operation did not complete successfully. For example, if you enable logon audits for failure events, the security event log records unsuccessful logon attempts.

Note:  Microsoft Windows Server™ 2003 with Service Pack 1 provides the ability to configure different security audit levels for different users. For more information about this feature, see Chapter 4, "Design the Solution."

The following table lists security event categories and the events that each category logs.

Table 2.1: Security Event Auditing Categories

CategoryEffect

Account logon events

Audits logon attempts to a local account on a computer. If the user account is a domain account, this event also appears on the domain controller.

Account management

Audits the creation, modification, and deletion of user and group accounts, in conjunction with password changes and resets.

Directory service access

Audits access to objects in the Active Directory® directory service.

Logon events

Audits attempts to log on to workstations and member servers.

Object access

Audits attempts to access an object such as a file, folder, registry key, or printer that has defined audit settings within that object's system access control list (SACL).

Policy change

Audits any change to user rights assignment, audit, account, or trust policies.

Privilege use

Audits each instance that a user exercises a user right, such as changing the system time.

Process tracking

Audits application behavior such as program starts or terminations.

System events

Audits computer system events such as startup and shutdowns and events that affect system security or the security log.

The Audit Policy Group Policy setting controls which events create entries in the security logs. The path to these settings is Computer Configuration\Windows Settings\Security Settings\Local Policies. You can configure the Audit Policy settings through the Local Security Settings console, or at the site, domain, or organizational unit level through Group Policy in conjunction with Active Directory.

Security logs provide a good foundation for comprehensive security monitoring. Group Policy settings provide centralized configuration of security log audit levels and the default security settings only allow administrators to access the security logs. However, monitoring of distributed attacks and implementing forensic analysis requires a monitoring system that can correlate audit events centrally.

Correlate Security Audit Events

The correlation of security audit events involves the collection of security events from multiple computers and placement of this information into a central location. Security personnel can then analyze this central repository to identify policy violations or external attacks. The repository can also provide the foundation for forensic analysis. This section introduces the Microsoft products and utilities that can correlate multiple security event logs. Several third-party products can also perform these functions.

Event Comb MT

Event Comb MT (multi-threaded) is a component of the Windows Server 2003 Security Guide that enables you to parse and collect events from multiple event logs on different computers. Event Comb MT runs as a multi-threaded application that enables you to specify numerous parameters when scanning event logs, such as:

Event IDs (individual or multiple)

Event ID ranges

Event sources

Specific event text

Event age in minutes, hours, or days

Some specific search categories are built in to Event Comb, such as Account Lockouts, which searches for the following events:

529 — logon failure (bad user name or password)

644 — a user account was auto locked

675 — pre-authentication failed on a DC (incorrect password)

676 — authentication ticket request failed

681 — logon failure

If you want to search for attacks against the default Administrator account, you can add event 12294 (account lockout threshold exceeded) from the system log. This event is particularly important, because the account lockout threshold does not apply to the default Administrator account. Hence an attacker can make multiple attempts to compromise the default Administrator account without triggering the account lockout mechanism.

Note:  Event 12294 appears as a Security Accounts Manager (SAM) event in the system log, not in the security log.

Event Comb MT can save events to a table in a Microsoft SQL Server™ database, which makes it useful for long-term storage and analysis. You can use a range of client programs to access the information in the SQL Server tables, such as SQL Query Analyzer, Microsoft Visual Studio® .NET or numerous third-party utilities.

Event Comb MT v10.0 also includes command-line options that you can use to create scripts to automate the collection of events from security logs at regular intervals. Because Event Comb MT does not provide any form of client collection agent or automatically forward events to a central repository, it might not be suitable for all threat scenarios.

Event Comb MT is available as a free download from the Account Lockout and Management Tools Web site, at http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e.

The Windows Server 2003 Security Guide is available at http://www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB

Microsoft Operations Manager 2005

Microsoft Operations Manager (MOM) monitors multiple servers in an enterprise environment. The MOM agent collects events from the event logs and forwards them to the MOM management server. The MOM management server then places those events into the MOM database. MOM 2005 and later can collect events from computers that do not run MOM agents.

MOM uses its management pack rules to identify issues that affect the operational effectiveness of servers. You can define additional rules to look for certain events and, when those events occur, send instant notifications by e-mail, pop-up messages, or to pager devices.

Although MOM provides many useful functions for security monitoring and attack detection, MOM was not designed for this purpose. Future releases of MOM are likely to provide greater facilities for collation of security logs.

Independent Software Vendor Solutions

Microsoft products do not provide an end-to-end solution for all aspects of security monitoring. The key gaps in current Microsoft product offerings include:

Real-time event log alarms.

Secure event log collection systems.

Microsoft partners provide the following products (listed in alphabetical order) that fill these gaps:

EventReporter from Adiscon. EventReporter enables administrators to combine UNIX and Windows event log report and alert functions into a single environment. It supports the standard UNIX syslog protocol for integration with UNIX-based systems, and Simple Mail Transfer Protocol (SMTP) to forward alerts. EventReporter includes an agent that you can configure to collect security events from multiple computers, filter them, and place them into a database. Depending on the security event, you can then forward these events through e-mail, start applications, create network messages, and so on. For more information about Adiscon EventReporter, see the EventReporter Web site at www.eventreporter.com.

GFI LANguard Security Event Log Monitor from GFI. LANguard Security Event Log Monitor performs event log – based intrusion detection and network-wide event log management. It archives and analyzes the event logs of all network computers and alerts you in real time to security issues, attacks, and other critical events. The Security Event Log Monitor can archive event logs to a central database, and provides custom rules and reports for forensic analysis. For more information, see the GFI LANguard Security Event Log Monitor Web site at www.gfi.com/lanselm.

As of October 2006, this product has been replaced by GFI EventsManager from GFI. See http://www.gfi.com/eventsmanager/ for more information.

Systrack 3 from Lakeside Software, Inc. Systrack 3 provides near real-time event log alarms through the Event Log Monitor. The Event Log Monitor periodically inspects all event logs on a computer to determine if anything new has happened since the last inspection. Systrack 3 filters any newly discovered event and takes appropriate action. These filters can use the default settings, user-defined settings, or a combination of default and user-defined settings. Specific character strings in any of the event properties, such as a user or workstation name can trigger event log alarms. An event can also run a script or restart the computer. The filters can also generate Simple Network Management Protocol (SNMP) traps, Windows pop-up messages, or e-mail alerts. For more information about Systrack 3, see the Lakeside Software Web site at www.lakesidesoftware.com.


**
**

Download

Get the Security Monitoring and Attack Detection Planning Guide

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions