Search in ISMS Guides


Saturday, September 1, 2007

Auditing for Increased Security

You will need to Audit your systems for enhanced and increased security. When Microsoft laid out this objective, they were most likely thinking about building your security strategy up with Defense in Depth. This strategy is outlined as a way to avoid depending on one single protective measure deployed on your network. In other words, to eliminate the feeling of being secured because you implemented a firewall on your Internet connection you should implement other security measures like an IDS (Intrusion Detection) system, Auditing and Biometrics for Access Control.

You need to understand that you need many levels (hence, defense in depth) of security to be able to feel and be safe from potential threats. A possible Defense in Depth matrix with Auditing included could look like the graphic in the figure below.

So now that you know why auditing is so important, you could probably benefit from a good definition of the term ‘auditing’. Auditing is the process of analyzing gathered data for the purpose or intent of determining a possible problem, or in the security arena, an attack or exploit. Auditing is best used on any system that can generate some type of log file that you can save, refer to and analyze – especially over time.

Your security strategy should implement a strong policy on auditing systems. If you are strapped for time, I would suggest you at least implement a policy to audit your most critical systems or systems that are facing the Internet. This way, you can be somewhat informed of possible attack on systems that if rendered inoperable, could put you out of business.

You should try to determine the level of auditing you need to deploy on your systems, as excessive auditing will generate too many events to view and analyze.

Don’t over do it

When you are looking at auditing your systems, you really need to do some analysis before the analysis! Do some research and think about what it really is you are trying to determine using auditing. It is not wise to just turn on all auditable events without even knowing what it is you are enabling. Excessive auditing could actually cause you to lose some logged events if you have the log set to overwrite events as needed – excessive logging could push an event you may have need to see right out of the readable log you were going to analyze.

There are in fact ways that you can stop this activity that will be talked about within the chapter, but just remember, if you blindly turn on auditing without thinking about what it is you want to accomplish, you could actually lose data. There are ways to stop this… one is to adjust the log size so that it will hold more events. Another way is to set it so that you will only be able to clear the events manually so you don’t lose data. (both will be explained in more detail later in the chapter). Other ways is to use add on products of third party tool sot accumulate your events in one centralized location like MOM. You could use a tool like Microsoft Operations Manager, which can help you to gather, filter and analyze massive amounts of events on all your systems.

When you perform auditing, you can have one of two categories:

  • Success: A success event indicates that a user has successfully gained access to a resource
  • Failure: A Failure event indicates that a user has attempted to gain access to a resource but failed

These two categories will determine many things. If you monitor both, you can find patterns such as if you have a series of failures of a logon. This may indicate that there is someone trying to log on to a system and failing each time. Problems in auditing this type of behavior is if you have an administrator who may have forgotten the password, or worse yet – have the caps locks key on while trying to log on. This would show up in the event log. If you have a series of failures followed by a success, then you can see that either the administrator figured out the error, or if it is an attack, then the attacker was able to breach the system. This is how both success and failure could be seen working in conjunction with one another.

In our next articles, we will look at how to set up auditing with Windows 2000.

About Robert J. Shimonski

Robert J. Shimonski (MCSE, etc) is an entrepreneur, technology consultant and published author. Robert's specialties include network infrastructure design, management and the troubleshooting of Microsoft and Cisco products. Robert has in depth experience with globally deployed Microsoft and Cisco systems. Robert works with new companies constantly to help them forge their designs, as well as to optimize their networks and keep them highly available, secure and disaster free. Robert is author of many security related articles and published books to include the best selling: "Sniffer Network Optimization and Troubleshooting Handbook" from Syngress Media Inc (ISBN: 1931836574). Robert is also the author of the best selling: Security+ Study Guide and DVD Training System (ISBN: 1931836728) and Building DMZs for Enterprise Networks (ISBN: 1931836884) also from Syngress. Robert can be found online at

Article Source :

No comments: