#windows #event #log #monitoring
Monitoring Windows Event Logs for Security Breaches
The Windows event logs hold a minefield of information, and in the last couple of Ask the Admin articles on the Petri IT Knowledgebase. How to Create Custom Views in Windows Server 2012 R2 Event Viewer and Query XML Event Log Data Using XPath in Windows Server 2012 R2. I demonstrated how to create custom views in Event Viewer to filter out unwanted noise.
Why You Should Monitor Windows Event Logs for Security Breaches
The ability to create custom views is only useful if you know what events might indicate an attempt to compromise your systems or an unsanctioned configuration change. In this Ask the Admin. I’ll outline some of the most important events that might indicate a security breach.
Change Control and Privilege Management
Before data in the event logs can become truly useful, it s essential to exercise some governance over your server estate and establish who is allowed to change what, where, and when through tested business processes. When change control is implemented alongside privilege management, not only can you be more confident in maintaining stable and reliable systems, but it will be easier to identify malicious activity in the event logs.
The information in this article assumes that auditing has been configured according to Microsoft s recommended settings in the Window Server 2012 R2 baseline security templates that are part of Security Compliance Manager (SCM). For more information on SCM, see Using the Microsoft Security Compliance Manager Tool on the Petri IT Knowledgebase .
Account Use and Management
Under normal operating circumstances, critical system settings can t be modified unless users hold certain privileges, so monitoring for privilege use and changes to user accounts and groups can give an indication that an attack is underway. For example, the addition of users to privileged groups, such as Domain Admins. should correspond to a request for change (RFC). If you notice that a user has been added to a privileged group, you can check this against approved RFCs.
The Event Viewer User Account Management and Group Management task categories. When auditing is enabled on a member server, changes to local users and groups are logged, and on a domain controller changes to Active Directory. To enable auditing for user and group management, enable Audit Security Group Management and Audit User Account Management settings in Advanced Audit Policy. For more information on configuring audit policy, see Enable Advanced Auditing in Windows Server on Petri.
Additionally, you should check for the events listed in the table below: