The Institute of Internal Auditors Detroit Chapter Presents

1 The Institute of Internal Auditors Detroit Chapter Presents 1

MOST Suitable for all categories business and personal presentation

3 If You Have Questions If you have questions during the webcast: If necessary, exit Full Screen View by pressing the Esc key Submit questions through the Ask a Question button Questions will be answered after the presentation portion is concluded

4 Earning CPE Credit In order to receive CPE credit for this webcast, participants must: Attend the webcast on individual computers (one person per computer) Answer polling questions asked throughout the webcast When answering polling questions, select your answer and the click Vote button (next to the Ask a Question button) to submit / save your answer. CPE certificates will be sent to the e-mail address on your BrightTALK account within two weeks of this webinar.

5 Please tell us your member status A) Member Detroit Chapter B) Member Central Region District 2 (Fort Wayne, Toledo, Michiana, W. Mich., Lansing) C) Member Other District D) Non-member

6 Windows Event Logs A brief description Event logs records significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these type of events occur, Windows records the event in an event log that you can read by using the Event Viewer application. Windows Event logs have been around since windows NT in (1993). Since Windows vista the Event logs have been updated and now conforms to an XML schema. We will cover Windows 7, Windows Server 2008, Windows Server 2012, Windows Vista.

7 TRUE/FALSE Windows event logs record all activity that occurs while it s in operation by default MOST www.companyname.com 2020 Companyname PowerPoint Business Theme. All Rights Reserved.

8 Starting Event Viewer Windows interface or the command line Windows interface Click the Start button. Click Control Panel. Click System and Maintenance. Click Administrative Tools. Double-click Event Viewer. Command line Open a command prompt. (To open a command prompt, click Start, click All Programs, click Accessories and then click Command Prompt). Type eventvwr..

9

10

11 What information appears in event logs? Event Viewer Application events. Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. Security-related events. These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful Setup events. Computers that are configured as domain controllers will have additional logs displayed here. System events. System events are logged by Windows and Windows system services, and are classified as error, warning, or information. Forwarded events. These events are forwarded to this log by other computers. Note: Some servers may have File Replication and DNS.

12 Windows Logs does not contain the category: Polling Question A. Application events B. Security-related events C. Internet Events D. Forwarded events

13 Event Properties Common Information in windows events Source - The software that logged the event, which can be either a program name or a component of the system or of a large program Event ID - A number identifying the particular event type. The first line of the description usually contains the name of the event type. For example, 6005 is the ID of the event that occurs when the Event Log service is started. User - The name of the user on whose behalf the event occurred. Operational Code - Contains a numeric value that identifies the activity or a point within an activity that the application was performing when it raised the event. For example, initialization or closing. Log - The name of the log where the event was recorded. Task Category - Used to represent a subcomponent or activity of the event publisher. Keywords - A set of categories or tags that can be used to filter or search for events.

14 Event Properties (cont.) Common Information in windows events Computer - The name of the computer on which the event occurred. Date and Time - The date and time that the event was logged. Level - A classification of the event severity. The classification for system and application logs are: Information, Warning, Error, Critical.. The classification for the security log are Success Audit or Failure Audit. Other Properties Process ID, Thread ID, Processor ID, Session ID, Kernel Time, User Time, Processor Time, Correlation Id, Relative Correlation Id

15 Create an audit Plan Decide what information is of value to your organization Decide what type of information you want to gain by collecting audit events Many Events are not audited by default, it is critical that you configure audit policies to fit your needs Consider the amount of resources that you have available for accumulating and reviewing an audit log. Audit events can take up space on your systems, There is little value in collecting huge amounts of audit data if there is no plan to use it Consider collecting a combination of Success and failure Audits, both can contain valuable information

16 TRUE/FALSE Auditing should be turned on for all events

17 Security Events Categories What Security categories can you audit? Account logon events - Audit this to see each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account management - Audit this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group. Directory service access - Audit this to see when someone accesses an Active Directory directory service object that has its own system access control list (SACL). Logon events - Audit this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).

18 Security Events Categories (cont.) What Security categories can you audit? Object access - Audit this to see when someone has used a file, folder, printer, or other object Policy change - Audit this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies. Privilege use - Audit this to see when someone performs a user right. Process tracking - Audit this to see when events such as program activation or a process exiting occur. System events - Audit this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it does not have permission to do.

19 Recommended Event Logs to be monitored What Should I monitor? Event ID Event Type Description (4608 to 4612), (4614 to 4616) System Events Identifies local system processes such as system startup and shutdown and changes to the system time 4612 Audit Logs Cleared Identifies all the audit logs clearing events 4624 Successful User Logons Identifies all the user logon events 4625 Logon Failures Identifies all the failed user logon events 4634 Successful User Logoff's Identifies all the user logoff events

20 Recommended Event Logs to be monitored What Should I monitor? Event ID Event Type Description 4656, (4658 to 4664) Object Access Identifies when a given object (File, Directory, etc.) is accessed, the type of access (e.g. read, write, delete) and whether or not access was successful/failed, and who performed the action 4719 Audit Policy Changes Identifies all the changes done in the audit policy 4720, (4722 to 4726), Identifies all the changes done on an user account like user User Account Changes 4738, 4740 account creation,deletion, password change, etc. (4727 to 4737), (4739 to 4762) User Group Changes 4768, 4776 Successful User Account Validation 4771, 4777 Failed User Account Validation Identifies all the changes done on an user group such as adding or removing a global or local group, adding or removing members from a global or local group, etc. Identifies successful user account logon events, which are generated when a domain user account is authenticated on a domain controller Identifies unsuccessful user account logon events, which are generated when a domain user account is authenticated on a domain controller

21 Security information and event management SIEM Tools

22 TRUE/FALSE Event logs should only be analyzed after a security incident

23 Conclusions The importance of auditing in windows If audit settings are not properly configured, it may be impossible to determine what occurred during a security incident. Audit policy settings should support the organizational security policy and hold users accountable for their actions Audit policies should be reviewed on a regular basis to ensure adequate security measures are in effect Auditing is useless, if the audit data is not analyzed.

24 Questions?

25 Links View the systems audit policy - http://technet.microsoft.com/en-us/library/cc772576.aspx Security Audit Events for Windows 7 and Windows Server 2008 http://support.microsoft.com/default.aspx?scid=kb;en-us;947226

Please Take a Moment to Rate the Webinar 26 Click on Rate This Rate this webinar with 1 to 5 stars Provide any comments Click Send Rating Visit www.iiadetroit.org for additional information and registration details