Auditing

You’ve configured your environment to meet the documented security requirements by following the security procedures and plans. These plans were created by technology-specific experts with a thorough review by security administrators and upper management. This should ensure that the initial configuration is secure.

However, you must keep continually vigilant against attacks. The plans you followed almost certainly call for ongoing monitoring of the components that you’ve installed and configured. This monitoring can be done in a variety of ways. Some applications create log files on the local hard disk. Others send SNMP messages on the network. Many of the newer applications and services, including those included with Windows Server 2003, create entries in the Event Log that can be viewed with Event Viewer.

This centralized location for storing and reviewing audit events provides a great benefit to the security administrator. Event Viewer is a simple tool that can be used to examine these audit events, as well as other system messages, in a single interface. Because other programs know about the Event Log database, these messages can be gathered from disparate systems and combined into one large log file. This log file can then be parsed, either by a security administrator or an automated program, such as Microsoft Operations Manager or Sunbelt Software’s Event Archiver Enterprise, to identify security-related events and analyze these events to determine if any unauthorized ...

Get Securing Windows Server 2003 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.