Systems in a perimeter network need constant monitoring. It’s crucial to detect abnormal behavior promptly, since such behavior might indicate a break-in or maybe just an unintentional configuration change that weakens the security of the system. This chapter discusses how to implement a strong system monitoring solution on Windows. This includes configuring the standard Windows NT event logging and auditing systems; however, these built-in features do not satisfy the security needs of a perimeter network. Additional steps include:
Setting up remote logging to get all the log information collected at a dedicated and secure log server
Synchronizing the system clocks in the network to a trusted time source
Configuring integrity checking software to complement the NT auditing system
Remember that many of the settings discussed in this chapter can be configured using the Security Configuration Editor (SCE) described in Chapter 2.
The auditing system in Windows is very good. It’s possible to audit every type of object access in a granular way. An object in Windows NT is anything from a filesystem object (e.g., file or directory) to a printer, registry key, or internal operating system data structure. For instance, it is possible to set up auditing for a single action (e.g., read or write) on a single file for a certain user. System Access Control Lists (SACLs) control how an object is audited.
The Security ...