S 4.148 Monitoring a Windows 2000/XP system

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Auditor

The monitoring of computer systems is an important means of maintaining system security and system integrity. This is the only way to detect possible security gaps, violations against the currently valid security policies, or even attacks by insiders and outsiders, and trigger suitable countermeasures.

The monitoring (or auditing) of a Windows 2000/XP system must be taken into account in the planning phase so that the relevant parameters can be specified according to the requirements. In order to monitor a Windows 2000/XP system, monitoring must first be enabled in general. This applies especially to file and registry monitoring. The enabling and configuration of the monitoring components is performed using the following group policy parameters:

General enabling of the "auditing" functions:

In each case, the values No auditing or Success and/or Failed can be set.

Computer Policies / Local Policies / Audit Policies
Parameter	Recommendation
Audit process tracking	Process tracking is generally unreasonable and should only be enabled for debugging purposes.
Audit use of rights	The use of user rights should be monitored.
Audit policy change	Changes to policy settings (GPOs) are operations that are critical to security and should be monitored.
Audit system events	Enables logging of boot events.
Audit logon events	Logging of logon events should be enabled on the local computer (e.g. the workplace computer).
Audit logon attempts	Logging of logon attempts on the domain controller which conducts user authentication should be enabled.
Audit account management	Changes to account settings are events that are critical to security and should be monitored.
Audit object access	This option should be activated, because it makes logging of file and registry access possible.
Audit Active Directory access	This is only relevant on domain controllers. Changes to the AD should be monitored.

Table: Computer, local and audit policies

Settings for the log files:

1. Computer Policies / Local Policies / User Rights Assignment
Parameter	Recommendation
Manage auditing and security log	This right allows the following: configuration of the audit settings for individual objects (files, registry, Active Directory), viewing and deleting the security log. Which user group (or groups) should be granted this right depends on the monitoring concept. As a matter of principle, this right should only be assigned restrictively. However, the following should be taken into account in this case: It may also be necessary to access the security log for diagnostic purposes and to eliminate problems not related to security. Administrators can re-grant themselves this user right even if it has been revoked. It is therefore recommended to log this process (Audit privilege use option).
2. Computer Policies / Local Policies / Event Log
Retention method for application log Retention method for security log Retention method for system log	You can select between the following options depending on the logging concept:After ... Days,Overwrite andDo not overwrite.
Retain application log for Retain security log for Retain system log for	Number of days where the After ... Days retention method has been chosen.
Windows 2000: Restrict Guest account group access to application log Restrict Guest account group access to security log Restrict Guest account group access to system log Windows XP: Prevent local Guest account group from accessing application log Prevent local Guest account group from accessing security log Prevent local Guest account group from accessing system log	The access restrictions for the Guest account should be enabled.
Maximum size of application log Maximum size of security log Maximum size of system log	The size must be selected so that enough storage space is available for the storage method used even during times of above-average system activity.This is especially important for the security log because otherwise a gap in time can arise while monitoring the security of the system.Suggestions for the settings to be specified here can be found in S 2.231 Planning the group policy under Windows and S 4.244 Secure configuration of Windows client operating systems. However, the suggested settings must be adapted to the real conditions (and tested in test operations).
Windows 2000:Shut down system when max. security log size has been reached	In normal operation, this should be handled with caution. However, this option is useful in high-security areas where a complete audit trail is more important than availability. In any case, using this option must be examined carefully.

Table: Settings for the log files

In general, the following aspects also must be taken into account in the context of auditing:

The Data Protection Officer and the Personnel and/or Supervisory Board should be included in the planning at an early stage, since monitoring generally also requires the collection of personal data so that it is possible to reliably identify who was responsible in the event of a security violation.
In order for the auditing components to generate log entries, auditing must be enabled using the relevant group policy settings.
Windows 2000/XP provides only a logging function for auditing purposes: System components and applications generate status messages that are collected in three log files (system, application and security log). There is no dedicated auditing architecture for online monitoring. In each case, the log files are stored locally and essentially have to be evaluated manually.
The creation of a central collection point for log files with correspondingly automated evaluation can be achieved using products available from third-party manufacturers. If a tool for network and system management is used (see also module S 4.2 Network and System Management), then it may be possible to import the Windows 2000/XP logs directly into the tool depending on which product is used.
Access to file or registry keys can be recorded in the security log by configuring the appropriate auditing settings in Windows 2000/XP.

Monitoring can generate large amounts of data depending on the settings. In addition, intensive monitoring leads to losses in performance. In extreme cases, a system can become so overloaded that proper operation becomes impossible. For this reason, the suitable monitoring parameters must be checked in a test operation environment and modified if necessary. It must be taken into account that modifying the parameters can also have an effect on the overall auditing concept because it may become impossible to perform certain monitoring tasks after the changes. This applies especially in cases where additional products are used that place high requirements on the events recorded. Examples of such products include programs that automatically analyse the log data for behavioural anomalies to detect attacks, for example.

In the scope of the system function monitoring, it is also recommended to regularly check the AD replication process through which configuration changes are propagated. AD tools such as repadmin.exe or showreps.exe can be used for this purpose. The ADS (Active Directory Service) log and the FRS (File Replication Service) log should also be checked for error messages. An error during replication usually means that the configuration changes were not made everywhere. This means there is a danger that there may be users who have been granted unsuitable rights or too many rights.

The system time plays an important role when monitoring the system and evaluating the log data. When monitoring several systems it is especially important to synchronise the system time on all computers. Windows 2000 introduced the W32Time Time Service (Windows time source). This service is responsible for synchronising time.

In an Active Directory environment, the authorising domain controller is the time source for the domain members. The Windows Time Service has a hierarchical structure: The domain controller of the root domain that has the PDCE FSMO role becomes the central time source for the entire Active Directory infrastructure. The domain controller can be configured with the net time /setsntp:<time source> command in such a manner that it uses an external time source for synchronisation. The time source can be located inside or outside of the organisation's network, although the use of an internal time source should be preferred. If a time source outside of the organisation's own network is used, then its trustworthiness must be ensured.

Client computers that are not members of a domain use the Microsoft Time Server time.windows.com by default. However, they can also be configured to use a different time source with the net time command or via the (HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers) registry.

Review questions:

Was the monitoring concept of Windows designed and implemented to meet the actual needs?
Do the system auditing parameters meet the requirements of the organisation?
Does the required configuration of the monitoring components under Windows meet the group policy parameters used?
Do the assigned rights for the management of the audit and security logs meet the security policies of the organisation?
Are the Data Protection Officer and the Personnel or Supervisory Board involved early on in the audit planning process?
Is a regular synchronisation of the system time ensured?