Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 566
  • Last Modified:

Setup Auditing on Windows Servers

Hello Experts,

I am new to the usage of Auditing and I hoped you could help me setting up a proper Auditing System.  Auditing is enabled on my domain, however I believe I have to overwrite my local policy first of all - (GPO?)

Then I have 1 domain user I want to monitor;
- Logon / Logoff;
- File access (which files);
- File Changes (which files);
- When possible I would like to monitor SQL actions also, however this is not possible the normal way, is there an alternative way to do so?
I did try some stuff but ended up with lots of data in my auditing eventlog.  How can I do the above without all unwanted info?

When possible (e.g. using third party tool) I would like to know what the changes were.  I do not want to use any spyware or keyloggers but proper software for the Enterprise, however if costs are associated, at an acceptable level.

If it's relevant; the user access the servers via a Citrix Metaframe XP Console (using a published RDP session).

Help is highly appreciated.
  • 4
  • 3
  • 2
2 Solutions
"however I believe I have to overwrite my local policy first of all - (GPO?)"

BIG rule for group policy...domain policy overrides local policy. So if you have the same policy set on the domain and then set locally on a computer...the domain policy will be the one that is applied.

You use policy to turn auditing on or off and decide what type of "events" to monitor....so for example, you set how you want to audit log/loff offs by the following policy:

computer config- window settings- security settings- local policies- audit policy

But if you want to setup auditing to see when a user accesses or changes a file...the built in way in windows is to set the policy and then you have to actually go to the specific folder that you want to aduit and turn on auditing.


Bit of a warning though.....auditing every time a file is accesses will VERY QUICLY fill up your event logs and make it very hard if not impossible to sort through all the events and make any kind of sense out of them. So you may want to think about what you need to audit or if you need a different option such as a 3rd party tool to handle auditing. Like for instance, I don't care when users access files....I have security setup so I know they can only access what they are suppossed to....I do like to have a log of when changes are made....so I log those, but not read access to the file.

To be able to see exactly what the changes are to a file....my guess is this is highly dependent on what kind of file it is. This would defniately require a 3rd party tool (or multiple tools) if you wanted to do this for various file types.

Of course if it is a word document or access database, you can use tracking features in the program to track all the changes that have been made. Just a thought....
"How can I do the above without all unwanted info?"

You either have to not audit each time a file is accessed (this in itself will create like 5 entries in the event log) or use a 3rd party tool that can either parse the event log for you or keep its own type of event log.
I've used several packages for exactly what you are asking, but the software that took the least overhead, logged, alerted, and just worked based on your needs is GFI SELM:

Unless you're big, MS MOM may also be a better choice for a large-scale security monitoring package.

We have honeypots setup on certain "sweet" files that NO ONE should access.  In this way, an alarm triggered indicates someone that is snooping the file system for value info.  We've fired an admin based on the event alert and subsequent monitoring of activities.  The honypot tipped us off that they were wandering the secured areas without permission and with Domain Admin access.

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

DaGo21Author Commented:
Hello Phil, Luv2smile,

Thanks for your feedback.I will look into the GFI package later today or next week as I currently are very limited in time today.  We do have Microsoft MOM running on a few servers already and thinking about deploying it global.  I certainly will check with the project leads on this.

Luv2smile, what kind of 3rd party tools do you mean?
If you're team is ready, here are the Microsoft MOM security guides:

Guidance on managing security in MOM-http://www.microsoft.com/technet/prodtechnol/mom/mom2000/maintain/operate/opsguide/momops5.mspx

MOM 2005 Security Best Practices Guide-
DaGo21Author Commented:
Hi Phil,

Thanks for your answer however Chapter 5 talks about security of the MOM application (database, servers, reports, users, etc), however not about the to monitoring server(s). My understanding from MOM is that it is an great extended Event Viewer.

Could you extend on your answer how I could set-up monitoring (see initial question) using MOM 2000?  I spoke internally and so far I was not able to find out the details about this, however people seem to say the same as you.

Please let me know

No problem.

You are right about MOM being a management umbrella, an extension of Event Viewer.  MOM has various management packs and Monitoring snap-ins that provide additional capabilities beyond standalone server hardening configurations.

This is the link to the MOM 2005 Management Pack, if you review the security section, these are the Event Viewer management add-ons:
• Legacy Client connections refused
• Large number of legacy connections refused
• Inability to bind to TCP or UDP ports
• Agents failing authentication
• Port floods and unauthorized access attempts
• Connection negotiations failing
• Manual agent connections refused
Also, there are Management Packs for other MS technologies:
MBSA Management Pack
DNS Server Management Pack
IIS Management Pack

All of which include monitoring scenarios for security and performance management's sake.

If your team enables fundamental server security practices and monitoring, MOM will be the top-level management platform to monitor all of these server security settings. The Server Security guides below outline fundamental server security practices that can be monitored through MOM:

Does this all make sense?

Bottom line, there's a lot to learn and do before taking MOM 2005's discs out of shrink wrap. This is part of the reason that I also pointed at GFI Languard becausethis software has more canned/templated security functions to make it easier for your team to configure, detect, log, and perform specific tasks focused on forensics, monitoring, and intruder detection using the various Event logs from different Windows servers.  It's meant specifically for security, while MOM is a jack-of-all-trades tool.

Let me know if you have more questions.
DaGo21Author Commented:
Hi Phil,

I've studied both products however is there no monitoring tool, rahter then an evenlog parser?  something like you install a client on the server and configure what you want to monitor and it's actions?

SELM and MOM can use a service account to poll the end system for central collection.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now