Module 9: Monitoring Event Logs

Use the slide to explain to students that system and application events are recorded automatically, and that security events are recorded according to the Audit Policy that has been set

Contents

Overview 1

Introduction to Monitoring Event Logs 2

Monitoring System and Application Events 14

Review 33

This course is a prerelease course and is based on

Microsoft Windows 2000 Beta 3 software Content in the

final release of the course may be different than the content

included in this prerelease version All labs in the course

are to be completed using the Beta 3 version of

Microsoft Windows 2000 Advanced Server

Module 9: Monitoring Event Logs

products, people, characters, and/or data mentioned herein are fictitious and are in no way intended

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 1999 Microsoft Corporation All rights reserved

Microsoft, MS-DOS, MS, Windows, Active Directory, PowerPoint, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted

Other product and company names mentioned herein may be the trademarks of their respective owners

Project Lead/Senior Instructional Designer: Red Johnston

Instructional Designers: Tom de Rose (S&T OnSite), Meera Krishna (NIIT (USA) Inc.) Program Manager: Jim Cochran (Volt Computer)

Lab Simulations Developers: David Carlile (ArtSource), Tammy Stockton (Write Stuff) Technical Contributor: Kim Ralls

Graphic Artist: Julie Stone (Independent Contractor)

Editing Manager: Tina Tsiakalis

Editors: Wendy Cleary (S&T OnSite), Diana George (S&T OnSite)

Online Program Manager: Nikki McCormick

Online Support: Tammy Stockton (Write Stuff)

Compact Disc Testing: ST Labs

Production Support: Rob Heiret, Ismael Marrero, Mary Gutierrez (Wasser)

Manufacturing Manager: Bo Galford

Manufacturing Support: Mimi Dukes (S&T OnSite)

Lead Project Manager, Development Services: Elaine Nuerenberg

Lead Product Manager: Sandy Alto

Group Product Manager: Robert Stewart

Introduction

This module provides students with information about monitoring event logs The module discusses how to monitor user activities and system and application events It emphasizes that students should monitor these activities and events for security reasons, to track resource use, and to discover system and application errors The module also teaches that the security events that are recorded are based on an audit policy set up by a security administrator for the network that he or she administers The module presents how to view and analyze event logs to discover activities and events that require administrative action It also covers how to review and analyze event logs At the end of the module, students will be able to monitor event logs

Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Materials

To teach this module, you need the following materials:

!"Microsoft® PowerPoint® file 1556A_09.ppt

!"Module 9, “Monitoring Event Logs”

Preparation

To prepare for this module, you should:

!"Read all the materials for this module Notice that some slides are animated and require that you click them several times as you step students through the illustrated processes Animated slides are indicated with an icon in the lower left corner of the slide

!"Review the Delivery Tips and Key Points for each section and topic

!"Complete the lab

!"Study the review questions and prepare alternative answers for discussion

!"Anticipate questions that students may ask Write out the questions and provide answers to them

Presentation:

30 Minutes

Lab:

30 Minutes

Module Strategy

Use the following strategy to present this module:

!"Introduction to Monitoring Event Logs Introduce monitoring events in Microsoft Windows® 2000 The topic on introducing event log monitoring has an animated slide The icon on the bottom left corner of the slide identifies the slide Use the slide to explain to students that system and application events are recorded automatically, and that security events are recorded according to the Audit Policy that has been set up for the network Then explain that events are recorded in event logs, viewed in Event Viewer, and analyzed by the network administrator Describe the different kinds of events Windows 2000 creates system events, applications create application events, and security events are recorded when users perform an action The user actions that are recorded are based on an Audit Policy for the network Tell students that events are recorded in event logs

!"Monitoring Security Events Provide an overview of monitoring security events Explain that security events are recorded in the security log Describe the categories of security events in the security log The topic on categories of security events has an animated slide The icon on the bottom left corner of the slide identifies the slide Use the slide to describe security event categories that are recorded in the security log Tell students that they can look for specific categories when viewing the security log Explain object access events, such as access to files and folders, which can be audited

!"Analyzing Security Events Provide students with an overview of analyzing security logs Explain how

to analyze security logs, such as analyzing successful or failed events and detecting trends in recorded events Point out that certain security events are most likely to signify a user action that requires your attention

!"Monitoring System and Application Events Provide an overview of monitoring system and application events Describe the system and application logs and the detailed information recorded in them Present the types of system and application events, and point out that the type of event affects the administrative action that you need to take The topic on types of system and application events has an animated slide The icon on the bottom left corner of the slide identifies the slide Use the slide

to describe the types of system and application events that are recorded in the system and application logs Tell students that they can look for specific types of events when viewing the system and application logs

!"Viewing Event Logs Provide an overview of Event Viewer to view and locate system, application, and security events Explain how Event Viewer is used to view event logs Demonstrate the use of the Find feature to locate specific events and the Filter feature to limit the events that event Viewer displays

!"Managing Event Logs Provide an overview of managing event logs Present the options to limit the size of an event log Explain that the strategy used to limit the log size is based on security and the kinds of events that are being audited Describe how to archive logs and review archived logs

!"Best Practices Read the Best Practices section before you start the module, and then refer

to the appropriate practice as you teach the corresponding module section Then, at the end of the module, summarize all of the best practices for the module

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on the student computers during the labs This information is provided to assist you in replicating and customizing this module with other Microsoft Official Curriculum (MOC) courseware

The labs in this module are also dependent on the classroom configuration that is specified in the “Customization Information” section at the

end of the Classroom Setup Guide for course 1556A, Administering

Overview

! Introduction to Monitoring Event Logs

! Monitoring Security Events

! Analyzing Security Events

! Monitoring System and Application Events

! Viewing Event Logs

! Managing Event Logs

! Best Practices

You can monitor most user activities, Microsoft® Windows® 2000 events, and application events Events are user actions that are recorded based on an Audit policy, and any significant occurrence in Windows 2000 or in an application

that requires users to be notified You monitor these activities and events for

security reasons, to track resource use, and to discover system and application errors The security events that you monitor are based on an Audit policy that is set up by a security administrator for the network that you administer The Windows 2000 and application events that you monitor are preset by the operating system and application developers who decided which events will be recorded

Events are recorded in event logs You view and analyze event logs to discover

activities and events that require administrative consideration Based on your analysis of the event logs, you may need to take any of the following

administrative actions:

!"Resolve security violations

!"Address system problems

!"Reallocate resources

!"Recommend changes in Audit policy or to audit settings

At the end of this module, you will be able to:

!"Describe monitoring events in Windows 2000

!"Monitor security events

!"Analyze security event

!"Monitor system and application events

!"View events in event logs

!"Manage event logs

!"Apply best practices for monitoring events

In this module, you will learn

how to monitor activities on

a computer

Introduction to Monitoring Event Logs

Audit Policy

User

Administrator

Failed Access

System or Application Event

System or Application Event

Log

X Administrative

Action

Administrative Action

Windows 2000 records security, system, and application events in logs on the computer, usually a domain controller or member server, on which the event occurred You view these logs to discover activities and events that require your attention

Window 2000 maintains other logs, as well Because of the network administrator’s scope of responsibility that this course addresses, this module discusses only security, system, and application event logs

Events

Windows 2000 and applications record events automatically Security events are not logged automatically; Windows 2000 logs security events according to the Audit policy that has been set up

!"An Audit policy defines the categories of user activities that Windows 2000 records in the security logs on each computer Auditing policies are set up to track authorized and unauthorized access to resources The Audit policy is designed to serve the needs of your organization

By default, auditing is not enabled A security administrator configures an Audit policy to enable auditing and determine what activities are audited Extensive auditing slows down the computer on which auditing is enabled

!"System and application events are alerts and warnings produced by Windows 2000, its services, and installed applications Some critical events, such as a full disk drive or low memory, are noted in an on-screen message Those events not requiring immediate attention are noted in an event log

Slide Objective

To introduce monitoring

events in Windows 2000

Lead-in

You monitor user activities,

Windows 2000 events, and

application events

Delivery Tip

The slide for this topic is

animated Begin by

explaining to students that

system and application

events are recorded

automatically Security

events are recorded

according to the Audit policy

that has been set up for the

network Then explain that

events are recorded in

event logs, viewed in Event

Viewer, and analyzed by the

Event Logs

When an event occurs, the event is recorded in the event logs Event logs enable you to monitor information about hardware, software, system problems, and security You can also archive logs in various file formats

Event Viewer

You use Event Viewer to view events that Windows 2000 has recorded in the logs Event Viewer is available on Windows 2000 Professional and Windows 2000 Server Event logging starts automatically each time you start Windows 2000 Server With Event Viewer, you can troubleshoot various hardware and software problems and monitor Windows 2000 Server security events

Analysis and Administrative Action

You analyze event logs to determine actions, such as users gaining access to printers or files, and to verify attempts at unauthorized use of resources You can also archive log files to compare current and archived logged events to discover trends Your analyses may lead to administrative actions, changes in resource security, or changes to an Audit policy

# Monitoring Security Events

! The Security Log

! Categories of Security Events

! Auditing Object Access Events

Security events that Windows 2000 tracks are recorded in the security log The log provides detailed information about each event Security events are divided into categories such as account logon and object access The object access category includes files and folders, printers, and other objects in the directory service of Active Directory™ You can audit to determine whether the access to

an object was a success or a failure The security needs of your organization determine the categories that you audit, and whether you audit for success or failure

Slide Objective

To provide an overview of

monitoring security events

Lead-in

To monitor network security

for your organization, you

view the security log to

locate security events

Delivery Tip

This is an overview of

monitoring security events

Prepare students for the

topic by providing the

following key points of

information

Key Points

Security events are

recorded in the security log

Security events are divided

into categories The Audit

policy set up for your

organization determines the

categories that are

recorded

Auditing can be set up to

record access to objects

such as files, folders, and

printers

The Security Log

! Contains Information About:

Windows 2000 records audit events in the security log The security log contains information about network security events that are monitored, such as logon attempts A security administrator creates an Audit policy that specifies which events are recorded in the security log For example, if logon auditing is enabled, Windows 2000 records attempts to log on to the system in the security log Success events appear with a key icon; failure events appear with a lock icon Other important information includes the date and time that an event occurred, the source of the event, the category of the event, and the user who generated the event

Successful and Failed Attempts

The security administrator can specify whether to record success or failure events

Success Audit A successful, audited security access attempt For example, Windows

2000 logs a user’s successful logon attempt as a Success Audit event Failure Audit A failed, audited security access attempt For example, if a user tries

to access a network drive and fails, Windows 2000 logs the attempt as

a Failure Audit event

For more information about creating and implementing auditing policies,

see course 1558, Advanced Administration for Microsoft Windows 2000

Slide Objective

To explain the security log

Lead-in

Security events are

recorded in the security log

Delivery Tip

Open the saved security log,

Security.evt, which is in the

Labfiles folder Show

students the events that are

recorded Point out success

and failure events and the

other information provided in

the log, especially the

category

Note

Categories of Security Events

Categories of Security Events

Account Logon Object Access Privilege Use System Event

The security events that Windows 2000 tracks are divided into categories The security administrator responsible for setting up auditing for your network enables auditing for the categories that are appropriate for your business situation When you review events, you may look for specific categories of events For each event category, you can audit both successful and failed access

to objects

The following table describes some of the event categories

Category Description

Account Logon Logs an event each time that a user attempts to log on Typically,

you will audit only failures for this category in order to alert an

administrator to unauthorized users who have gained access to the network

Object Access Logs an event each time that a user attempts to access an object such

as a printer, folder, or file

For example, it may be important for you to balance the print jobs sent to the print devices in your company You can set an Audit policy to log an event each time that a user accesses a printer From this log, you can determine printer load, and you may decide to direct some printing to other print devices

Privilege Use Logs an event each time that a user attempts, successfully or

unsuccessfully, to exercise privileges such as changing the system time

System Event Logs designated system events Windows 2000 may log system

events when a user restarts or shuts down a computer, or when an event has occurred that affects Windows 2000 security or the security log An example of an event that affects the security log is when the event log is full and Windows 2000 has begun to discard entries

Slide Objective

To explain the categories of

security events in the

security log

Lead-in

Security events are divided

into categories When you

review security events, you

can look for specific

categories

Delivery Tip

The slide for this topic is

animated Use it to describe

to students the four security

event categories that are

recorded in the security log

Auditing Object Access Events

! Audit Access to Files and Folders

! Audit Access to Printers

! Audit Access to Other Objects in Active Directory

! Audit the Success or Failure of User Access Attempts

An Audit policy has been set up to monitor access to objects such as files and folders, printers, and other objects in Active Directory The Audit policy determines whether to track successful or failed access attempts

Auditing Access to Files and Folders

When auditing is set up on specific files and folders, you can view which users attempt to access the files or folders, and the type of access that the users attempt Some of the user activities that you can audit are:

!"Displaying the contents of a file or folder

!"Changing the contents of a folder

!"Adding data to a file

!"Deleting a file or folder in a folder

!"Changing permissions for a file or folder

You can audit files and folders only when they are located on NTFS file system partitions

Slide Objective

To explain the access

events that can be audited

Lead-in

You can audit access to files

and folders, printers, and

Active Directory objects

Note

Auditing Access to Printers

Auditing access to printers has been set up to determine the type or amount of use You can audit printers to determine the specific users who accessed or attempted to access the printer, and the types of access that each user or group attempted

Some of the printer access events that you can audit are:

!"Changing printer settings, pausing a printer, sharing a printer, or removing a printer

!"Changing job settings; pausing, restarting, moving, or deleting documents; sharing a printer; or changing printer properties

!"Changing printer permissions

Auditing Access to Objects in Active Directory

Windows 2000 represents everything in Active Directory as an object You can set up auditing to track access to specific objects such as users, computers, and groups When you set up auditing on specific Active Directory objects, Windows 2000 logs the users who attempt to access the objects and the types of access that the users attempt

Some of the types of access to Active Directory objects that you can audit are:

!"Viewing the audited object

!"Creating any object within the audited object

!"Deleting any object within the audited object

!"Changing the permissions for the audited object

Success or Failure of User Access Attempts

The Audit policy is configured to record the success, failure (or both) of attempts to access resources An Audit policy might log only failed logon attempts Repeated failed logons may alert you to attempts at unauthorized access to the network Alternately, an Audit policy might log only successful actions, such as successful attempts to access a shared folder on a server and how many users are accessing it

# Analyzing Security Events

! Analyzing Security Logs

! Looking for Specific Security Events

Depending on the security categories that Windows 2000 audits for your computers, the number of events that are logged can be quite large Analyzing all of the events that are logged may be time consuming You should limit the categories that you view and analyze

To limit the scope of your analysis, identify specific security events that require action Take action and notify other administrators when appropriate

Slide Objective

To introduce analyzing

security logs

Lead-in

You must determine the

events that are important to

your organization and limit

your analysis to them

Delivery Tip

This is an overview of

analyzing security logs

Prepare students for the

topic by providing the

following key points of

information

Key Points

Analyze security logs to

ensure that security events

do not go undetected

There are specific security

events that you should

analyze

Analyzing Security Logs

! Interpret Security Events to Determine Their Meanings

! Analyze Security Events to Identify Failed Attempts to Access Resources

! Analyze Security Events to Identify Successful Attempts

to Access Resources

! Track Events Over Time to Detect Trends

! Take Action to Resolve Security Problems

Regular analysis of the security log enables an administrator to track events and ensure that security violations are corrected You look for categories of events that are important to the security of your organization You can focus your analysis on failure events or success events You can look for trends over time When you find events that violate security or policy, you can take appropriate action

Interpreting Security Events

The analysis of resource access includes interpretation of whether system resources are being used correctly Analyzing resource use consists of examining entries that Windows 2000 logs and understanding the possible actions that may have led to the entries During this analysis process you should determine which entry or entries are affecting the integrity of system resources

Analyzing Failed Security Events

In some situations, you should analyze failure events For example, you will need to know if someone attempts to gain access to a file for which they have

no permissions, or if someone attempts to gain access to another user’s account

by guessing the password

Analyzing Success Security Events

In some situations, you should analyze success events, such as successful access to resources For example, in a law firm, you may want to bill a client for every time that one of your employees accesses a reference CD-ROM You can log every successful attempt to access the CD-ROM and the user who accessed it

Slide Objective

To explain how you analyze

security logs

Lead-in

You analyze security logs to

ensure that security events

Auditing may have been set up to track user access to a printer so that users are charged for their print jobs, or to resolve bottlenecks by determining the number of users who are accessing a printer over a period of time You may also want to audit successful access to a folder to determine whether someone has inappropriately accessed information

Detecting Trends

The log data that you accumulate through periodic monitoring provides the information that you need for trend analysis and provides a basis for security policy changes To track events over time, you must establish a baseline during the time when your system is processing typical operations This baseline will

be your measure for setting log expectations You archive logs during this typical period of operations and compare future logs to it

In addition to tracking events to detect trends, you can use archived log data to provide a database of activity for systems engineers who troubleshoot servers and computers

!"Recommend changes to the network resources or account properties For example, you may change permissions on resources to accommodate administrative requirements

Looking for Specific Security Events

! Logon Failure

! Failure When Attempting to Read a File

! Deletes or Attempts to Delete a Data File

! Assigns or Attempts to Assign

! Restart, Shutdown, and System Audit on Network Servers

When analyzing a security log, you should look for specific events that may signify an action that requires your attention These are events that most likely indicate breaches in security The following table describes events that often indicate security issues that require investigation Event Viewer indicates each failure event by a lock icon and each success event by a key icon

Logged event Significance of event and actions to take

Logon Failure A user may be attempting to log on as another user in order to gain

access to files for which that user has permissions Look for repeatedly failed logon attempts within a short period of time Notify the network security administrator of this event Talk to the group policy administrator who may decide to implement a policy to lock out users from the system after a specified number of failed logon attempts

Failure when attempting to read a file

A user has attempted to read a file for which he or she does not have permissions

Determine whether the user actually needs access to the file If so, you can change the user’s permissions to the file If the user does not require access, remove access to the folder in which the file is contained and notify the security administrator

Deletes or attempts to delete a data file

A user may attempt to delete a file for which he or she does not have permissions Look for any attempt or repeated attempts to delete a file

Deny permissions to the user for the entire folder in which the file is contained

Slide Objective

To look for specific security

events that administrators

should analyze

Lead-in

Specific security events are

significant and should be

analyzed

Key Point

When analyzing security

events, look for specific

significant events

(continued)

Logged event Significance of event and actions to take

Assigns or attempts to assign Change Permissions or Take

Ownership permission

With the Change Permissions permission, a user can change permissions to an object such as a file and change the permissions that have been assigned for it With the Take Ownership permission, a user can take ownership of an object and either delete the object or change permissions to the object

Deny user access to the folder containing the files You may want to disable the user’s account and notify the security administrator Restart and

shut down on all servers and domain controllers

Only administrators and server operators should shut down servers and domain controllers, and only at specified times

Look at the time at which the shutdown occurred and the number of times shutdown has occurred The user may have more rights than he

or she should have, and you may have to remove these rights from the user

# Monitoring System and Application Events

! System and Application Logs

! Types of System and Application Events

System events are generated by Windows 2000 and recorded in system logs Application events are generated by applications and recorded in application logs System and application developers determine the system and application events that are recorded Types of system and application events are

information, warnings, and errors Each event contains detailed information such as the type of event You use event information to accurately identify the event and take appropriate action

events, you monitor system

and application logs

Delivery Tip

This is an overview of

monitoring system and

application events Prepare

students for the topic by

providing the following key

points of information

Key Points

System and application

events are recorded in

system and application logs

When a system or

application event is

recorded, the type of event

is indicated in the log