Monitoring Goals:
- Detect suspicious behavior by external users or employees, or malfunctions,
- Do this directly, such as by monitoring for specific events, or indirectly, such as by watching the state of a server over time and investigating anomalous behavior.
Built in Mechanisms for Monitoring Architecture:
The following build in mechanisms can be used to monitor different aspects of your servers.
- Event Logging
- Performance Monitoring
- Simple Network Management Protocol
- Windows Management Instrumentation
Event Logging:
Event log data is reported to the Event Log service by other parts of the system or by applications running on the system. The Event Log service stores this data in .evt files in the %systemroot%\system32\config directory. The built-in logs in Windows NT 4.0 and Windows 2000 Professional are the system log, the security log, and the application log. Windows 2000 Server installations may add logs for Domain Name System (DNS) and directory services. Any application that needs to log events should register itself with the Event Log service.
Event Analysis
Events in the event log contain the following fields:
- Date and time
- Type: the severity of the event
- Source: the component that logged the event
- Category: a further sub grouping of security events
- Event ID: a unique number identifying the event that occurred
- User: the name of the user to which the event relates, if any
- Computer: the machine on which the event was logged
- Description: textual data such as error messages associated with the event
- Data: binary data associated with the event
Of these fields, it is very important to note the event ID and the description text. The event ID is the easiest way to research the event in the Microsoft Knowledge Base, and the description text usually describes what happened in simple language. Also, the description field often contains unique information about a specific event, especially security events. If you collect events to a central database using a non-Microsoft event-collection tool, like Altiris Monitor Solution, be sure to collect the description field for all security events.
General System monitoring
Windows uses this category to log events that affect the security of the entire system. Good idea to log both success and failure events!
512 |
Windows NT is starting up. |
513 |
Windows NT is shutting down. |
514 |
An authentication package has been loaded by the Local Security Authority. |
515 |
A trusted logon process has registered with the Local Security Authority. |
516 |
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. |
517 |
The audit log was cleared. |
518 |
A notification package has been loaded by the Security Account Manager. |
If any abnormalities are detected within these events, there is a good chance that someone could be loading password logging utilities or unauthorized authentication packages, which could possible, not be secure.
How you would perform General System Monitoring with Altiris Monitor Solution
- You can either use one of the predefined monitor pack rules or create your own if predefined is not available
- Select the plus sign to create a new rule
- Give the rule a name "General System Monitoring"
- Type: "Based on NT Event" from the drop down.
- Select "New" to create the conditions of the rule.
- Property: "Log File"
- Condition: "Is"
- Value: "System"
- o The value is based on the "System" as we are getting the information from the system log file.
- Select "New" again to add another condition to the rule.
- Operator: "And" allows the previous condition to run with this condition.
- Property: "Event ID"
- Condition: "Matches Regular Expression"
- Value: "Event ID" in form of (512|513) etc.
- Select "OK" to apply changes.
- Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
- You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
- Select "Action" to specify an event after the event has been detected.
- There are various action options to select
- Create incident
- Create an NT Event
- Send E-Mail
- Many more
- In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
- Select "OK" to confirm settings and then select "OK" again to save all changes to the rule
Monitoring Audit Policy
The Local Security Authority (LSA) of a Windows NT or Windows 2000 system performs many security-related tasks for the system and is responsible for enforcement of the system's security policies (including site, domain, and organizational unit policies in Microsoft Active Directory that apply to the local machine). One of the main policies of interest when monitoring the system is the Audit policy.
It is very important to monitor the Audit policy in order to prevent a rogue administrator from turning auditing off, performing a forbidden action, and turning auditing back on.
You would be monitoring the following events for changes to your Audit Policy:
608 |
User Right Assigned |
609 |
User Right Removed |
610 |
New Trusted Domain |
611 |
Removing Trusted Domain |
612 |
Audit Policy Change |
Windows 2000 Only:
613 |
IPSec policy agent started |
614 |
IPSec policy agent disabled |
615 |
IPSEC Policy Changed |
616 |
IPSec policy agent encountered a potentially serious failure. |
617 |
Kerberos Policy Changed |
618 |
Encrypted Data Recovery Policy Changed |
619 |
Quality of Service Policy Changed |
620 |
Trusted Domain Information Modified |
As administrators have full access to all resources on a system and 99.99% of the time know how to disable monitoring of these events or even clear the logs to avoid suspicious activity from being detected, you could use Altiris Monitor Solution to monitor all these eventID’s. Even if the logs are cleared the Altiris Monitor Solution would already have recorded the events in a separate database and can also flag the event by sending a notification to the security administrator about the event as it happens.
How you would perform Audit Policy Monitoring with Altiris Monitor Solution
- You can either use one of the predefined monitor pack rules or create your own if predefined is not available
- Select the plus sign to create a new rule
- Give the rule a name "Audit Policy Monitoring"
- Type: "Based on NT Event" from the drop down.
- Select "New" to create the conditions of the rule.
- Property: "Log File"
- Condition: "Is"
- Value: "Security"
- The value is based on the "Security" as we are getting the information from the Security log file.
- Select "New" again to add another condition to the rule.
- Operator: "And" allows the previous condition to run with this condition.
- Property: "Event ID"
- Condition: "Matches Regular Expression"
- Value: "Event ID" in form of (608|609|610|611|612) etc.
- Select "OK" to apply changes.
- Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
- You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
- Select "Action" to specify an event after the event has been detected.
- There are various action options to select
- Create incident
- Create an NT Event
- Send E-Mail
- Many more
- In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
- Select "OK" to confirm settings and then select "OK" again to save all changes to the rule
Monitoring Uptime and Reboots
6005 |
Start up of services |
6006 |
Graceful shutdown of services were detected |
6008 |
System restarted unexpectedly |
How you would perform Uptime and Reboots Monitoring with Altiris Monitor Solution
- You can either use one of the predefined monitor pack rules or create your own if predefined is not available
- Select the plus sign to create a new rule
- Give the rule a name "Audit Policy Monitoring"
- Type: "Based on NT Event" from the drop down.
- Select "New" to create the conditions of the rule.
- Property: "Log File"
- Condition: "Is"
- Value: "System"
- The value is based on the "System" as we are getting the information from the System log file.
- Select "New" again to add another condition to the rule.
- Operator: "And" allows the previous condition to run with this condition.
- Property: "Event ID"
- Condition: "Matches Regular Expression"
- Value: "Event ID" in form of (6005|6006|6008) etc.
- Select "OK" to apply changes.
- Rule Configuration is now set and will now monitor System Related events according to the Event ID specified.
- You can also specify "Rule Repetition", where the you specify how many times the rule has to occur within a specified time frame before an event is logged and notification is sent.
- Select "Action" to specify an event after the event has been detected.
- There are various action options to select
- Create incident
- Create an NT Event
- Send E-Mail
- Many more
- In this case we chose to send an e-mail notification to the administrator of the Altiris system, every time this event has been detected and poses a potential risk to business.
- Select "OK" to confirm settings and then select "OK" again to save all changes to the rule