S 2.365 Planning of system monitoring under Windows Server 2003

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Numerous and extensive event logs are created when operating Windows Server 2003. These logs are primarily used to verify and maintain proper operation, but also for analysing errors. They often serve as the basis for audits or additional evaluations.

The contents of the logs are used to determine the storage periods and the legal aspects relating to data protection to take into account. The basic principles of logging should conform to the legal requirements, and the misuse of log data and of the threats and risks arising in connection with its misuse are to be minimised. (see S 5.9 Logging on the server, S 2.64 Checking the log files, S 2.110 Data protection guidelines for logging procedures).

Basic monitoring and logging principles

• Logs are only to be recorded in the scope necessary since the generation of log files consumes resources and storage space. Their creation causes resource and storage utilisation. The principle of avoidance is to be abided by.
• Higher security requirements generally means more extensive monitoring is required.
• Logs are created for justified and specified purposes and must only be generated for these purposes.
• Monitoring and recording logs is in the interest of the organisation and must be coordinated with the personnel representative and the Data Protection Officers.
• Logs are to be protected against unauthorised access, manipulations, and retroactive changes.
• Logs must be evaluated regularly and in a timely manner.
• Precise and synchronous time stamps as well as defined formats, interfaces, and procedures are required to evaluate the logs properly.
• When evaluating logs, the basic principles stated in module 1.8 Handling of security incidents must be taken into account.
• Logs are to be deleted after their maximum storage period has expired.

Monitoring policy

Based on the security policy for the Windows Server 2003 to be monitored, a monitoring policy must be derived and implemented for the server. The monitoring policy should define which events are to be monitored by whom, what reactions must be triggered for certain events and with which reaction times, and how to handle the log data. The security template files supplied with Windows Server 2003 are located in the %SystemRoot%\Security\Templates folder. They can be viewed with the MMC management console (Security Templates snap-in) and serve to provide an overview and basic orientation.

The users and events to be monitored are specified in the Group Policies snap-in. It should be documented if, and if yes, for what reason, success and/or error events are to be logged for the following categories:

• Login attempts
• Login events
• Account administration events
• Active Directory accesses
• Object accesses
• Use of rights
• Process monitoring
• System events
• Changes to policies

Monitoring objects

To monitor object accesses (e.g. files), it must be ensured that monitoring is activated in the monitoring policy of the server as well as in the properties of the selected objects. For example, Windows Server 2003 allows administrators to assume ownership of files and to transfer ownership to third parties, and therefore also back to the original owner. Windows Server 2003 therefore only has limited capabilities for detecting such actions. For this reason, the logs of the monitored objects should be evaluated regularly for such events.

Event logs

The logs can be viewed and administered manually with the Event Viewer. Every entry has additional details and a unique event ID for which there are detailed descriptions. The Event Viewer configuration must be defined. The following aspects must be taken into account to accomplish this:

• Separation of roles
  
  The storage location for the event logs can differ, if necessary, from the default location %SystemRoot%\system32\config, when the administrators are not permitted to influence their evaluation in any way, for example. The Registry is also located in this folder. For this reason, it does not make sense to revoke the rights of the administrator to access this folder. In Windows Server 2003 and higher, it is possible to restrict access to the Event Viewer logs. The desired access authorisations (in the Access Control List, ACL) are defined separately for each log in the CustomSD Registry entry using a Security Descriptor Definition Language (SDDL).
  
  Alternatively, administration and monitoring can be separated using a system management tool.
• Log sizes and storage periods
  
  The maximum size of the log files must be compatible with the response when the logs are overwritten, the number of possible events expected, and the monitoring period in which data is recorded. If "Never Overwrite Events" is configured, then it must be ensured that the log file does not become too large and have an adverse affect on the system response. Otherwise, the server might stop and shut down if the security settings were configured accordingly. The required availability may not be attainable under certain circumstances.
• Relevant logs
  
  The event logs consist of the following logs at a minimum:
  • System,
  • Application and
  • Security.
  Depending on the role and function of the server, the following additional logs may also be generated:
  
  Directory Service log
  
  DNS Server log
  
  File Replication Service log
  
  Additional file-based logs to be taken into account depending on the role and function of the server include:
  • IIS logs
  • RRAS logs
  • RADIUS logs
• Event types
  
  The logs can contain the following event types:
  • Error
  • Warning
  • Information
  • Successful attempt events
  • Unsuccessful attempt events

Instruments for monitoring logged events

Logs can be evaluated manually (e.g. using the Event Viewer), using user-defined scripts (e.g. Eventlg.pl, Eventquery.vbs), using special tools (e.g. Dumpel.exe, Auditusr.exe, EventCombMT), or using fully automatic management tools (e.g. Microsoft Operations Manager 2005, MOS 2005). Furthermore, there are also products available from third-party manufacturers for this purpose.

Source information:

Tool	Source
Eventlg.pl	Windows 2000 Resource Kit, Supplement 1
Eventquery.vbs	Windows 2000 Resource Kit, Supplement 1
Dumpel.exe	Windows 2000 Server Resource Kit, Supplement 1
Auditusr.exe	Part of Windows Server 2003 with SP1
EventCombMT	Microsoft Windows Server 2003 Resource Kit Tools

These products also cover requirements for monitoring that cannot be adequately realised using the built-in Windows Server 2003 resources. These requirements include, for example, notification via SMTP, near real-time reaction to events, or a forensic analysis approach to detect suspicious incidents and determine the parties responsible.

When monitoring the availability of a Windows Server 2003 or its services, it must be taken into account that reliable monitoring and automatic escalation can only be guaranteed by an independent, third-party system.

The type of monitoring should also be documented in the monitoring policy.

• Automatic monitoring
  
  Manual monitoring and evaluation is prone to error, subjective, subject to individual variation, and is only available in a limited form. Automatic monitoring and evaluation is to be preferred over manual methods. The principle of appropriateness must also be taken into account.
  
  Details on the recommended methodology are described in the Security Monitoring and Attack Detection Planning Guide from Microsoft.
  
  Even though the security log of the Event Viewer is to be given the highest priority when monitoring the security of a Windows Server 2003, it must not be overlooked that there are other events relevant to security that therefore need to be recorded. The data in the event logs should be correlated regularly with other data, for example days of leave, holidays, times, etc., to detect deviations from "normal" use.

• System monitor
  
  The system monitor, with its performance logs and warnings, provides reliable information on the current availability of resources such as the main memory, processor, network, and hard drive storage space. It can issue warnings automatically when defined limit values are exceeded. This can help to ensure the availability of a server. Statistical evaluation of the performance logs over a long period of time allows you to analyse trends and expand or modernise the necessary hardware in advance. Even printer queues can be monitored by the system.

• Hardware
  
  Hardware components specially purchased to improve availability (e.g. uninterruptible power supplies, temperature monitoring systems), generate events and log information that must be monitored.

• Applications
  
  Applications can record security-related information in the application log of the Event Viewer or in separate logs. This information and/or these logs should also be monitored.

Documentation

The monitoring policy serves as documentation. Furthermore, security templates (.inf files) should be created for the monitoring policy in effect for the Windows Server 2003 system. The objects monitored and the types of events logged by other tools must also be documented.

Review questions:

• Does a monitoring policy for Windows Server 2003 on how to handle events in the log data exist and is its scope coordinated with the requirements of the organisation's security policy?
• Do both the disk quota for the log files and the audited logs meet the organisation's security requirements?
• Do the instruments for monitoring logged events under Server 2003 meet the organisation's security requirements?
• Are the monitoring results of Windows Server 2003 also used to identify undetected vulnerabilities and the need for additional training?