While Windows 2000 Security logs provide reams of valuable information, it's up to you as the administrator to collect, analyze and assess the information they provide. LANguard S.E.L.M. provides the security monitoring functionality that should have been originally included with Windows 2000.
by Dan DiNicolo
A trial version of LANguard S.E.L.M. is available for download here.
As a network administrator, I'm sure you
understand the critical nature of security event ID 529. Well, possibly
not. If you have Windows 2000 auditing enabled, you're probably very
familiar with the incredible number of event types that you come across
when viewing your Security logs. The problem with the information provided
is that it's difficult to easily get a sense for which events are
absolutely critical, and which represent a user forgetting their password.
To get a perspective on how difficult security log management can be,
multiply the events that you find on one system by the number of systems
on your network. As you can see, the mountain of data quickly becomes
unmanageable, and certainly makes responding to critical incidents
difficult. This is a large part of the reason why some companies disable
the auditing feature of Windows 2000 almost as quickly as they turn it on.
While Windows 2000 Security logs provide reams of valuable information,
it's up to you as the administrator to collect, analyze and assess the
information they provide. Not only is this next to impossible in a large
environment, it could easily be a full-time job all by itself.
Furthermore, manually parsing log files looking for events is not a timely
or practical solution. When the security of your network is at risk, you
require access to critical information immediately - not whenever you
finally find the time to view your logs. That's where GFI Software's
LANguard Security Event Log Monitor (S.E.L.M) comes in.
LANguard S.E.L.M. provides the security monitoring functionality that
should have been originally included with Windows 2000. As a trainer, my
new students constantly ask how they can be alerted when a critical event
occurs. My answer is always the same - without additional software, you
can't. By examining and collecting security logs on network systems,
LANguard S.E.L.M. is not only capable of alerting an administrator by
e-mail, but also of classifying events into security categories ranging from
low to critical. LANguard S.E.L.M. consolidates the log files from
different systems into a single SQL or Access database, providing
simplified event monitoring, log management, and reporting. It's not only
limited to Windows 2000 either - LANguard S.E.L.M. also works with Windows
NT to ensure that your system needs are covered.
Think of the tools that can be used to protect a network. For the most
part, companies rely almost exclusively on a firewall solution. While a
properly configured firewall can do a great job of keeping the bad guys
out, it doesn't do anything to monitor possible internal security issues.
Based on various studies, anywhere from 70-80% of all security incidents
are related to internal staff. In many cases getting access to sensitive
data is simple, due to misconfigured (or even worse, not configured)
security permissions. Even in cases where NTFS permissions are set
correctly, security is still an issue. Knowing who has attempted access
(and when) is just as important as knowing who has actually accessed
sensitive data. Remember that a good security strategy involves
identifying threats before an actual breach occurs.
Installing LANguard S.E.L.M. is simple, but there are a few things that
you'll need to prepare prior to getting started. First and foremost, you
will need to enable auditing in your domain - recall that Windows 2000
audits nothing by default. For all intents and purposes, you'll want to be
sure that you have at least major events (such as account logon and object
access) included. Think of some of the risks inherent in any environment,
and think about them closely. You shouldn't limit yourself to only
worrying about users attempting to logon as administrator or those trying to
access restricted files. Think about users with administrative privileges
changing the membership of key groups (such as Payroll!), or deleting the
security logs after doing something they shouldn't have. Certainly these
actions aren't limited to internal users, but since they already have
access, this does represent a possible threat. A careful analysis of
security risks is critical to the success of any security initiative.
Along the same lines, you should also make a point of characterizing your
network systems prior to the installation of LANguard S.E.L.M. Define
systems as being high, medium, or low risk. While a firewall, VPN, or web
server would probably be considered high risk, a normal user's workstation
would probably be most correctly categorized as low risk. Be honest in
your analysis - simply defining all systems as high risk will not make
your network more secure, even if it makes you feel more comfortable.
Recall that auditing is configured in Windows 2000 via Group Policy. Be
sure to configure auditing on the Default Domain Policy, using the No
Override option. The screenshot below outlines the auditing section of
Besides auditing, you'll also
need to configure Message Queuing Service (this is included with Windows
2000 but is not usually installed by default) and create a dedicated user
account under which LANguard S.E.L.M. will run.
The installation process is very straightforward. In fact, most of the
configuration can be accomplished using the initial installation wizard.
This includes adding computers to be monitored, specifying whether a SQL or
Access database should be used, configuring mail server settings, and
specifying normal operation times. Once completed, settings can of course be
changed using the LANguard S.E.L.M. configuration tools.
LANguard S.E.L.M. adds a number of tools (many of which are MMC-based) for
managing and monitoring alerts and their settings. These include:
LANguard S.E.L.M. Configurator - used to configure program alerts,
rules, and settings.
LANguard S.E.L.M. Event Viewer - used to view categorized events,
similar to Event Viewer but in a more organized fashion.
LANguard S.E.L.M. Reporter - used to build standard or custom reports
that outline the result of security log analysis.
LANguard S.E.L.M. Troubleshooter - a wizard that can be used to
provide GFI with information on issues you are experiencing with the
product, to be forwarded in an e-mail to GFI.
Additionally, the LANguard S.E.L.M. Monitor tool sits in the system tray,
providing information about the security log collection process on domain
computers. Since Event logs from different systems will have to be retrieved
by the system where the database resides, you can also specify how often
this happens for individual (or groups of) computers. For example, on
critical or high-risk servers you might specify that real-time monitoring
take place every 5 seconds. On lower risk computers, you might specify that
log collection occur every six hours. Striking a balance here is important,
since monitoring too aggressively may impact performance. This is yet
another reason why you should characterize network systems prior to
installation. The screenshot below outlines the monitoring settings for one
of my domain controllers.
In order to account for the different levels
of security monitoring required on domain systems, LANguard S.E.L.M. allows
you to define the security level of individual systems, and set defaults.
For example, you could configure things such that individual servers have a
medium security setting by default, while domain controllers or critical
servers are set to high. You can later use these settings to define which
types of events are considered critical for a given system type.
Another important feature is the ability to
define what is known as Normal Operation Time (N.O.T). This tells LANguard
S.E.L.M. which times are considered normal business hours. This feature
provides an even more granular level of control over how alerts are defined
- for example, a failed logon event during business hours might be
considered a medium security threat, and a high (or even critical) security
event after hours. The ability to control what is considered critical (and
when) is part of what makes LANguard S.E.L.M. such a powerful tool.
All this talk of configuration and
customization might have you a bit frightened. The good news is that by
default, the program has already grouped important security events into
categories based on their potential to represent threats. So, even if you're
not sure what you want LANguard S.E.L.M. to tell you when starting out, the
default settings handle the most common requirements smoothly. For advanced
users, the ability to customize which events are monitored and how they are
characterized provides maximum flexibility. The screenshot below outline
the process of defining a custom event rule.
As far as event monitoring is concerned, the
LANguard S.E.L.M. Event Viewer makes things easy. While the standard Event
Viewer included with Windows 2000 adds all security alerts to a single log
file on each individual machine, LANguard S.E.L.M. Event Viewer instead
categorizes alerts according to how critical they are, as shown below.
Remember that even though the defaults work
well, you have the ability to define exactly how critical an event is
considered to be. For example, Event 529 (bad username/password) is
classified as a medium security event on a low security PC outside of Normal
Operation Time by default (as shown below). If you want, you can easily
change this setting to a high or even critical event - whatever best meets
the needs of your environment.
Taken a step further, you also control when
you are contacted by e-mail (this is configured for critical alerts only by
default). However, you can again define which types of events you wish to be
contacted about. Remember that receiving too many e-mail alerts may lead you
to start ignoring them, so be careful with the events that you decide to
define as critical or worthy of having an e-mail sent.
The last major feature of LANguard S.E.L.M.
is certainly my favorite - its ability to produce clear and insightful
reports quickly an easily. For those of you with managers looking for
detailed information on network security, this will truly make your life
easier. Not only are the most common reports predefined, but you can also
define custom reports to be built from the information stored in the
database. For example, the screenshot below outlines the Reporter
The reports shown are actually templates -
once you right click and choose Generate, you'll be presented with the
completed report. Not only can the reports be printed easily, they can also
be exported to common formats including RTF, CSV, Crystal Reports, and
LANguard S.E.L.M. has many additional
features that I haven't covered here - advanced filtering capabilities, the
ability to backup the database to ensure optimal performance, and more. If
you're serious about monitoring security on your network, you should take a
look at LANguard S.E.L.M. Not only will the product reduce the amount of
administrative effort required to manage and monitor event security, it will
also give you the peace of mind of knowing that you'll be able to respond to
critical incidents in a timely fashion. GFI offers a free trial version of LANguard S.E.L.M. for download. Given the time and
effort (and subsequently dollars) that companies spend trying to ensure a
cohesive security strategy, LANguard S.E.L.M. represents a practical and