Securing Windows 2000 using LANguard S.E.L.M.
by Dan DiNicolo
A trial version of LANguard S.E.L.M. is available for download here. While Windows 2000 Security logs provide reams of valuable information, it's up to you as the administrator to collect, analyze and assess the information they provide. LANguard S.E.L.M. provides the security monitoring functionality that should have been originally included with Windows 2000.
As a network administrator, I'm sure you
understand the critical nature of security event ID 529. Well, possibly
not. If you have Windows 2000 auditing enabled, you're probably very
familiar with the incredible number of event types that you come across
when viewing your Security logs. The problem with the information provided
is that it's difficult to easily get a sense for which events are
absolutely critical, and which represent a user forgetting their password.
To get a perspective on how difficult security log management can be,
multiply the events that you find on one system by the number of systems
on your network. As you can see, the mountain of data quickly becomes
unmanageable, and certainly makes responding to critical incidents
difficult. This is a large part of the reason why some companies disable
the auditing feature of Windows 2000 almost as quickly as they turn it on.
While Windows 2000 Security logs provide reams of valuable information, it's up to you as the administrator to collect, analyze and assess the information they provide. Not only is this next to impossible in a large environment, it could easily be a full-time job all by itself. Furthermore, manually parsing log files looking for events is not a timely or practical solution. When the security of your network is at risk, you require access to critical information immediately - not whenever you finally find the time to view your logs. That's where GFI Software's LANguard Security Event Log Monitor (S.E.L.M) comes in.
LANguard S.E.L.M. provides the security monitoring functionality that should have been originally included with Windows 2000. As a trainer, my new students constantly ask how they can be alerted when a critical event occurs. My answer is always the same - without additional software, you can't. By examining and collecting security logs on network systems, LANguard S.E.L.M. is not only capable of alerting an administrator by e-mail, but also of classifying events into security categories ranging from low to critical. LANguard S.E.L.M. consolidates the log files from different systems into a single SQL or Access database, providing simplified event monitoring, log management, and reporting. It's not only limited to Windows 2000 either - LANguard S.E.L.M. also works with Windows NT to ensure that your system needs are covered.
Think of the tools that can be used to protect a network. For the most part, companies rely almost exclusively on a firewall solution. While a properly configured firewall can do a great job of keeping the bad guys out, it doesn't do anything to monitor possible internal security issues. Based on various studies, anywhere from 70-80% of all security incidents are related to internal staff. In many cases getting access to sensitive data is simple, due to misconfigured (or even worse, not configured) security permissions. Even in cases where NTFS permissions are set correctly, security is still an issue. Knowing who has attempted access (and when) is just as important as knowing who has actually accessed sensitive data. Remember that a good security strategy involves identifying threats before an actual breach occurs.
Installing LANguard S.E.L.M. is simple, but there are a few things that you'll need to prepare prior to getting started. First and foremost, you will need to enable auditing in your domain - recall that Windows 2000 audits nothing by default. For all intents and purposes, you'll want to be sure that you have at least major events (such as account logon and object access) included. Think of some of the risks inherent in any environment, and think about them closely. You shouldn't limit yourself to only worrying about users attempting to logon as administrator or those trying to access restricted files. Think about users with administrative privileges changing the membership of key groups (such as Payroll!), or deleting the security logs after doing something they shouldn't have. Certainly these actions aren't limited to internal users, but since they already have access, this does represent a possible threat. A careful analysis of security risks is critical to the success of any security initiative.
Along the same lines, you should also make a point of characterizing your network systems prior to the installation of LANguard S.E.L.M. Define systems as being high, medium, or low risk. While a firewall, VPN, or web server would probably be considered high risk, a normal user's workstation would probably be most correctly categorized as low risk. Be honest in your analysis - simply defining all systems as high risk will not make your network more secure, even if it makes you feel more comfortable.
Recall that auditing is configured in Windows 2000 via Group Policy. Be sure to configure auditing on the Default Domain Policy, using the No Override option. The screenshot below outlines the auditing section of Group Policy.