Tips & Tricks - MonitorMagic

3. Internal Security Reports

What about remaining secure from your own users? Network administrators can become so entrenched with security on a high level that low-level security doesn't get the attention it’s warranted. Such items can be as simple as ensuring users don’t have access to confidential data, or privileges they don’t need.

Every user in your environment already has one up on every Internet hacker out there. They can walk into the building any day and try to logon as an administrator. Internet hackers must first compromise your network before they can even begin to tackle Windows NT security. MonitorMagic can help with both; it can be used to provide you with reports as to whose trying to gain access to your network, but is being denied.

To setup MonitorMagic to generate security reports use the following procedure:

MonitorMagic generates security reports based on what it finds in the event logs of all domain controllers in the domain. This means, for accurate reporting, a MonitorMagic server license is needed for each domain controller.

1.) If it hasn't been done already, security auditing needs to be turned on individually for each domain controller. To do so go to each domain controller and choose Start/Program/Administrative Tool/Domain Controller Security Policy, the following dialog appears:

2.) Expand the Local Policies item and choose "Audit Policy." In the right-hand pane double-click the "Audit account logon events" item, choose the "Failure" checkbox and choose "OK". Now double-click the "Audit logon events" item, choose the "Failure" checkbox and choose "OK." Once this has been done on all domain controllers auditing has been setup successfully.

3.) Let's begin to configure MonitorMagic, this procedure assumes the MonitorMagic service and client have already been installed. Before reports can be generated MonitorMagic needs a database to store the event log entries it collects. If your MonitorMagic service is already using a database you can skip this step; if not, continue on.

Open the MonitorMagic client and in the "Network view" navigate to a machine that is running the MonitorMagic service where you want to create and manage the database. Right-click the machine and choose Configure service.../Advanced/Configure database.../Manage database, click "Create" and follow the wizard to create an ACCESS or SQL database.

4.) MonitorMagic now needs to be configured to collect event log information from all domain controllers. From the main menu choose Report/Configure report data collection..., the the following dialog appears:

A report profile is a collection of what logs are to be collected, where they are to be collected from, and when they should be collected.

5.) Let's create a new profile specifically for domain controller security logs. Click "Add" and give the profile a name, call it "DC Security," click "OK." The following dialog now appears:

Choose the "Specific logs" radio button, click "Add," choose the "Security" entry and click "OK". By default logs are collected daily at 22:45, this may be changed by using the "Edit" button. Choose any other options you wish and click "OK."

6.) We are taken back to the Report profiles dialog but it now appears as follows:

MonitorMagic needs to be told what machines to collect the security log for. Select the DC Security entry and choose the "Computers" button, the following dialog appears:

Enter each domain controller in the bottom field and click "Add" after entering each one. Once all your domain controllers are in the list click "OK". The Report profiles dialog will now appear similar to the following:

7.) Remember, by default MonitorMagic will collect security log information at 22:45. To generate a security report as soon as possible you can force MonitorMagic to begin log collection immediately. To do so double-click the "DC Security" profile, in the dialog that opens select the "Get report log information now" checkbox and click "OK" Once MonitorMagic has completed security event log collection from every domain controller an accurate security report can be generated. To check the collection status of any domain controller choose Report/Overview report data collection from the main menu. The overview window is split horizontally. The top window shows each domain controller, selecting a domain controller shows the collection status for that domain controller in the lower pane.

8.) Once security log information has been collected for each domain controller the report may be generated. To generate the report choose the "Reports" tab in the bottom left hand corner of the MonitorMagic client. Expand the Security section, now expand the "Monthly reports" or "Weekly reports" section. Right-click one of the reports and choose "Generate," MonitorMagic prompts you to choose a service, choose the machine managing the database created in step 3. Report generation may take some time, especially if the MonitorMagic database is large. Once the report appears it may be printed or saved as an html file.

Only events that MonitorMagic is searching for will appear in the report. MonitorMagic searches for the following events in the following categories:

Disabled accounts
531

Expired accounts
532

Locked accounts
539
644

Failed logon
529

Expired password
535

Please contact support@tools4ever.com with questions.