Which Windows Server Events Should You Monitor and Why?
April 9th, 2018
It’s a common theme of security breach reports that most compromises go unnoticed for several weeks and that organizations had evidence of the breach in their event logs. The Windows Server event logs contain a mass of useful information but finding events that might indicate an operational issue or security breach from all the noise isn’t an easy task.
Third-party security information and event management (SIEM) products can centralize logs and provide intelligence to identify events that might be important. But in the absence of a SIEM product, built-in Windows Server features can help protect your systems.
Ready to learn more? Check out my on-demand webinar, “Windows Server Security: Which Events to Monitor & Why“.
Windows Audit Policy
In Windows Server 2008 and later, Advanced Audit Policy provides more granular control over audit settings than was possible in older versions of Windows Server. Legacy audit settings remain for backward compatibility, although Advanced Audit Policy and the legacy audit settings can’t be used at the same time.
But what audit settings should you enable? You can find Microsoft’s recommend audit settings in the baseline security templates for Windows Server. The Security Compliance Toolkit can be downloaded free from Microsoft’s website and it contains templates for different server roles, like domain controller and member server. The templates can be converted into Group Policy Objects (GPOs) and applied to your systems. Alternatively, each baseline comes with an Excel spreadsheet that contains a list of all the settings included in the template.
Windows Event Forwarding
Centralizing event logs has a couple of benefits. First is that you don’t need to log in to each server individually to view the logs and they can be processed more efficiently in one place. Secondly, if a server’s event logs are cleared during an attack, you can quickly view the server’s logs without needing to restore from backup.
Windows uses an industry standard protocol for forwarding event logs, so you can send logs to another Windows device or a SIEM product. A collector is configured with subscriptions for servers from which you want to pull event logs. Source computers don’t need any special configuration apart from that Windows Remote Management (WinRM) must be enabled. If you want to collect the Security log from a domain controller (DC), you will need to give the DC’s Network Service account read channel access permission on the Security log.
Monitoring Important Windows Events
Collect events that indicate a configuration change, failure, or problem. For example, you might collect Windows Firewall events, such as Firewall Rule Add, Firewall Rule Change, Firewall Rule Deleted, Firewall failed to load Group Policy. Any changes to Windows Firewall might indicate malicious activity. Another example is Windows Defender, which is included out-of-the-box in Windows Server 2016. Look for events like Scan failed, Malware detected, and Failed to update signatures.
Hackers try to hide their presence for as long as possible. Event ID 104 Event Log was Cleared and event ID 1102 Audit Log was Cleared could indicate a problem. Event ID 4719 System audit policy was changed could also show malicious activity. Application crashes can also indicate the presence of a hacker.
Table 1 – Application Crashes
|ID||Level||Event Log||Event Source|
|App Error||1000||Error||Application||Application Error|
|App Hang||1002||Error||Application||Application Hang|
|WER||1001||Informational||Application||Windows Error Reporting|
Hackers need access to your systems just like any other user, so it’s worth looking for suspicious login activity. Table 2 shows events that might show a problem. Pass-the-Hash (PtH) is a popular form of attack that allows a hacker to gain access to an account without needing to know the password. Look out for NTLM Logon Type 3 event IDs 4624 (failure) and 4625 (success).
Table 2 – Account Usage
|ID||Level||Event Log||Event Source|
|User Added to Privileged Group||4728, 4732, 4756||Informational||Security||Microsoft-Windows-Security-
|Security-Enabled group Modification||4735||Informational||Security||Microsoft-Windows-Security-
|Successful User Account Login||4624||Informational||Security||Microsoft-Windows-Security-
|Failed User Account Login||4625||Informational||Security||Microsoft-Windows-Security-
|Account Login with Explicit Credentials||4648||Informational||Security||Microsoft-Windows-Security-
High-value assets, like domain controllers, shouldn’t be managed using Remote Desktop. Logon Type 10 event IDs 4624 (Logon) and 4634 (Logoff) might point towards malicious RDP activity.
How PowerBroker for Windows Can Help
While Microsoft offers these capabilities, implementing privilege management throughout an enterprise can be challenging. PowerBroker for Windows can help. PowerBroker for Windows is a privilege management solution that gives you unmatched visibility and control over physical and virtual desktops and servers.
PowerBroker for Windows can help your organization monitor privileged activity by:
- Monitor and manage Windows events: Monitor and centralize targeted Windows events for analysis and identify when further preventative action may be necessary
- Tracking and preventing lateral movement: Utilize rules to track and prevent anomalous user activity based on user roles and targeted resources
- Pinpointing suspicious activity: Monitor Windows Event Logs for anomalies and analyze through BeyondInsight behavioral analytics.
- Maintaining awareness: Monitor UAC events, application rules, requested elevations, denied applications, and more.
- Ensuring accountability: Add optional session monitoring for rules-based activity recording, including screenshots and searchable keystroke logs.
- Understanding and communicating risk: Leverage an interactive, role-based reporting and analytics console, backed by a centralized data warehouse for ongoing audits of user privilege management software activities.
To learn more about how our solutions can help your organization monitor events and other privileged activity in your Windows environment, check out my on-demand webinar, “Windows Server Security: Which Events to Monitor & Why“.