Which Windows Server Events Should You Monitor and Why?

Russell Smith, Security Expert, IT consultant
April 9th, 2018

It’s a common theme of security breach reports that most compromises go unnoticed for several weeks and that organizations had evidence of the breach in their event logs. The Windows Server event logs contain a mass of useful information but finding events that might indicate an operational issue or security breach from all the noise isn’t an easy task.

Third-party security information and event management (SIEM) products can centralize logs and provide intelligence to identify events that might be important. But in the absence of a SIEM product, built-in Windows Server features can help protect your systems.

Ready to learn more? Check out my on-demand webinar, “Windows Server Security: Which Events to Monitor & Why“.
Download now

Windows Audit Policy

In Windows Server 2008 and later, Advanced Audit Policy provides more granular control over audit settings than was possible in older versions of Windows Server. Legacy audit settings remain for backward compatibility, although Advanced Audit Policy and the legacy audit settings can’t be used at the same time.

But what audit settings should you enable? You can find Microsoft’s recommend audit settings in the baseline security templates for Windows Server. The Security Compliance Toolkit can be downloaded free from Microsoft’s website and it contains templates for different server roles, like domain controller and member server. The templates can be converted into Group Policy Objects (GPOs) and applied to your systems. Alternatively, each baseline comes with an Excel spreadsheet that contains a list of all the settings included in the template.

Windows Event Forwarding

Centralizing event logs has a couple of benefits. First is that you don’t need to log in to each server individually to view the logs and they can be processed more efficiently in one place. Secondly, if a server’s event logs are cleared during an attack, you can quickly view the server’s logs without needing to restore from backup.

Windows uses an industry standard protocol for forwarding event logs, so you can send logs to another Windows device or a SIEM product. A collector is configured with subscriptions for servers from which you want to pull event logs. Source computers don’t need any special configuration apart from that Windows Remote Management (WinRM) must be enabled. If you want to collect the Security log from a domain controller (DC), you will need to give the DC’s Network Service account read channel access permission on the Security log.

Monitoring Important Windows Events

Collect events that indicate a configuration change, failure, or problem. For example, you might collect Windows Firewall events, such as Firewall Rule Add, Firewall Rule Change, Firewall Rule Deleted, Firewall failed to load Group Policy. Any changes to Windows Firewall might indicate malicious activity. Another example is Windows Defender, which is included out-of-the-box in Windows Server 2016. Look for events like Scan failed, Malware detected, and Failed to update signatures.

Hackers try to hide their presence for as long as possible. Event ID 104 Event Log was Cleared and event ID 1102 Audit Log was Cleared could indicate a problem. Event ID 4719 System audit policy was changed could also show malicious activity. Application crashes can also indicate the presence of a hacker.

Table 1 – Application Crashes

ID Level Event Log Event Source
App Error 1000 Error Application Application Error
App Hang 1002 Error Application Application Hang
BSOD 1001 Error System Microsoft-Windows-WER-
SystemErrorReporting
WER 1001 Informational Application Windows Error Reporting
EMET 1

2

Warning

Error

Application

Application

EMET

Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).

Table 2 – Account Usage

ID Level Event Log Event Source
Account Lockouts 4740 Informational Security Microsoft-Windows-Security-
Auditing
User Added to Privileged Group 4728, 4732, 4756 Informational Security Microsoft-Windows-Security-
Auditing
Security-Enabled group Modification 4735 Informational Security Microsoft-Windows-Security-
Auditing
Successful User Account Login 4624 Informational Security Microsoft-Windows-Security-
Auditing
Failed User Account Login 4625 Informational Security Microsoft-Windows-Security-
Auditing
Account Login with Explicit Credentials 4648 Informational Security Microsoft-Windows-Security-
Auditing

High-value assets, like domain controllers, shouldn’t be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.

How PowerBroker for Windows Can Help

While Microsoft offers these capabilities, implementing privilege management throughout an enterprise can be challenging. PowerBroker for Windows can help. PowerBroker for Windows is a privilege management solution that gives you unmatched visibility and control over physical and virtual desktops and servers.

PowerBroker for Windows can help your organization monitor privileged activity by:

  • Monitor and manage Windows events: Monitor and centralize targeted Windows events for analysis and identify when further preventative action may be necessary
  • Tracking and preventing lateral movement: Utilize rules to track and prevent anomalous user activity based on user roles and targeted resources
  • Pinpointing suspicious activity: Monitor Windows Event Logs for anomalies and analyze through BeyondInsight behavioral analytics.
  • Maintaining awareness: Monitor UAC events, application rules, requested elevations, denied applications, and more.
  • Ensuring accountability: Add optional session monitoring for rules-based activity recording, including screenshots and searchable keystroke logs.
  • Understanding and communicating risk: Leverage an interactive, role-based reporting and analytics console, backed by a centralized data warehouse for ongoing audits of user privilege management software activities.

To learn more about how our solutions can help your organization monitor events and other privileged activity in your Windows environment, check out my on-demand webinar, “Windows Server Security: Which Events to Monitor & Why“.
Download now

Russell Smith, Security Expert, IT consultant

Windows & IT Security Expert
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to being a Contributing Editor at the Petri IT Knowledgebase and is an instructor at Pluralsight. Russell has more than 13 years of experience in IT, and has written a book on Windows security, co-authored one for Microsoft?s Official Academic Course (MOAC) series, and was a regular contributor at Windows IT Professional magazine.