Tips & Tricks - MonitorMagic
3. Internal Security Reports
Security is an ever-increasing concern amongst
network administrators worldwide. This comes as no
surprise. New viruses and worms are spawning every
day. New networking technologies are abundant and
many companies are eager to take advantage of them;
so are hackers, new technology leads to new holes.
New holes lead to tightened security, which leads
to new security strategy, which leads to more man-hours.
It’s a vicious cycle that requires lots of
focus and attention.
What about remaining secure from your own users? Network administrators can
become so entrenched with security on a high level that low-level security
doesn't get the attention it’s warranted. Such items can be as simple
as ensuring users don’t have access to confidential data, or privileges
they don’t need.
Every user in your environment already has one up on every Internet hacker
out there. They can walk into the building any day and try to logon as an administrator.
Internet hackers must first compromise your network before they can even begin
to tackle Windows NT security. MonitorMagic can help with both; it can be used
to provide you with reports as to whose trying to gain access to your network,
but is being denied.
To setup MonitorMagic to generate security reports use the following procedure:
MonitorMagic generates security reports based on what it finds in the
event logs of all domain controllers in the domain. This means, for accurate
reporting, a MonitorMagic server license is needed for each domain controller.
1.) If it hasn't been done already, security auditing needs to be turned on
individually for each domain controller. To do so go to each domain
controller and choose Start/Program/Administrative Tool/Domain Controller Security
Policy, the following dialog appears:
2.) Expand the Local Policies item and choose "Audit Policy." In
the right-hand pane double-click the "Audit account logon events" item,
choose the "Failure" checkbox and choose "OK". Now double-click
the "Audit logon events" item, choose the "Failure" checkbox
and choose "OK." Once this has been done on all domain controllers
auditing has been setup successfully.
3.) Let's begin to configure MonitorMagic, this procedure assumes the MonitorMagic
service and client have already been installed. Before reports can be generated
MonitorMagic needs a database to store the event log entries it collects. If
your MonitorMagic service is already using a database you can skip this step;
if not, continue on.
Open the MonitorMagic client and in the "Network view" navigate
to a machine that is running the MonitorMagic service where you want to create
and manage the database. Right-click the machine and choose Configure service.../Advanced/Configure
database.../Manage database, click "Create" and follow the wizard
to create an ACCESS or SQL database.
4.) MonitorMagic now needs to be configured to collect event log information
from all domain controllers. From the main menu choose Report/Configure report
data collection..., the the following dialog appears:
A report profile is a collection of what logs are to be collected, where they
are to be collected from, and when they should be collected.
5.) Let's create a new profile specifically for domain controller security
logs. Click "Add" and give the profile a name, call it "DC Security," click "OK." The
following dialog now appears:
Choose the "Specific logs" radio button, click "Add," choose
the "Security" entry and click "OK". By default logs are
collected daily at 22:45, this may be changed by using the "Edit" button.
Choose any other options you wish and click "OK."
6.) We are taken back to the Report profiles dialog but it now appears as
follows:
MonitorMagic needs to be told what machines to collect the security
log for. Select the DC Security entry and choose the "Computers" button,
the following dialog appears:
Enter each domain controller in the bottom field and click "Add" after
entering each one. Once all your domain controllers are in the list click "OK".
The Report profiles dialog will now appear similar to the following:
7.) Remember, by default MonitorMagic will collect security log information
at 22:45. To generate a security report as soon as possible you can force MonitorMagic
to begin log collection immediately. To do so double-click the "DC Security" profile,
in the dialog that opens select the "Get report log information now" checkbox
and click "OK" Once MonitorMagic has completed security event log
collection from every domain controller an accurate security report can be
generated. To check the collection status of any domain controller choose Report/Overview
report data collection from the main menu. The overview window is split horizontally.
The top window shows each domain controller, selecting a domain controller
shows the collection status for that domain controller in the lower pane.
8.) Once security log information has been collected for each domain controller
the report may be generated. To generate the report choose the "Reports" tab
in the bottom left hand corner of the MonitorMagic client. Expand the Security
section, now expand the "Monthly reports" or "Weekly reports" section.
Right-click one of the reports and choose "Generate," MonitorMagic
prompts you to choose a service, choose the machine managing the database created
in step 3. Report generation may take some time, especially if the MonitorMagic
database is large. Once the report appears it may be printed or saved as an
html file.
Only events that MonitorMagic is searching for will appear in the report.
MonitorMagic searches for the following events in the following categories:
Disabled accounts
531
Expired accounts
532
Locked accounts
539
644
Failed logon
529
Expired password
535
Please contact support@tools4ever.com with
questions.
|
