S 2.489 Planning of system monitoring under Windows Server 2008

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

New features of Windows Server 2008

The basic principles of monitoring and logging must be applied to Windows servers, see S 5.9 Logging on the server. With the introduction of Windows Vista and Windows Server 2008, the event log module was newly developed from scratch. In addition to raising the log file size to a maximum of 1 petabyte, the write throughput when creating the logs was also increased. In general, the event log module is now able to process and store tens of thousands of events per second. At the same time, the format of the entries has changed from .evt format into the XML format .evtx.

In addition to these changes and the introduction of new events, there are two essential new features to be taken into account:

• Collecting events on a central Windows system
  
  In Windows Server 2008 version and higher, it is possible to collect copies of events on a central computer(see Planning section).
• New numbering of the event IDs
  
  The identification numbers (IDs) of the security events were usually changed by adding the numerical value of 4096 to the existing number; thus, the former event 528 Successful application has now been assigned the new ID 4634. This should be taken into account for existing evaluations of event IDs, for example using your own scripts.

Planning

In general, the following safeguards should also be taken into account during the planning phase, since they are the basis of the configurations relevant to Windows Server 2008:

• S 5.9 Logging on the server
• S 2.64 Checking the log files
• S 2.110 Data protection guidelines for logging procedures
• S 2.365 Planning of system monitoring under Windows Server 2003

In Windows Server 2008 and higher, it is possible to collect and consolidate copies of predefined events on a central Windows system. Prior to the required configuration of both the forwarding and the collecting computers, general aspects should be considered.

In order to initiate the necessary steps for the configuration of the monitoring, the required services must be activated on the source computer and on the collecting computer. It must be specified which events of Windows servers are forwarded to the central system. Only then can subscriptions be created. Using subscriptions, the source computers to be monitored, the event type or query filters must be specified. Extended subscription settings such as bandwidth optimisation are then also possible. It must be clarified whether the collecting or source computer subscription type has been initiated. In light of this fact, firewall rules must be adapted under certain circumstances.

For the operating phase after successful planning, the safeguard S 4.344 Monitoring of Windows Vista, Windows 7 and Windows Server 2008 systems should be taken into account.

Review questions:

• Has it been specified which events of Windows servers are forwarded to the central system?