The New Face of Security Attacks: The Danger Within!

May EventSource Newsletter
By Danielle Ruest and Nelson Ruest

Automate Vista Events

Microsoft has made some considerable changes to event management in Windows Vista. One major change is the way you can link events to automated tasks. This article is the fourth in a series that demystifies the Vista Event Log.  

When you manage events, you often wish you could generate automatic actions when specific events occur. For example, it would be nice if you could automatically delete temporary files and send a notification to desktop technicians when PC disk drives get too full. In another scenario, it would be nice if you could receive automatic notification when unauthorized users try to log on to workstations that contain access to highly sensitive or confidential information. Or even better, display a message telling users they are trying to access unauthorized systems and then, send an email to appropriate authorities.

All of these things are now possible in Windows Vista. This is because Microsoft has revamped both the Event Log and the Task Scheduler and linked both together. Vista’s Task Scheduler is a much more powerful engine for task management and automation. And, when it is linked to the Event Log, the Task Scheduler becomes a strong engine for proactive systems management.
Linking events to automated tasks is a very straightforward process. It can be done in one of three ways:

  • Through the Task Scheduler
  • Through the Event Viewer
  • Through the command line

When creating either a basic or an advanced task in the Task Scheduler, you can select an event as the trigger for the task. Use the following procedure:

  • Create a new task (either basic or advanced).
  • Name the task and assign its credentials.
  • Select On an event as the task trigger.
  • Choose either Basic or Custom as the event setting.
    • Basic settings let you select which event log will be the source of the event, then which event source and finally, which event ID to look for (see Figure 1).
    • Custom settings let you create an Event Filter, letting you determine exactly how the task should be launched based on a series of filtered conditions.
  • Then continue adding the task properties such as conditions, actions and settings.

That’s it, simple isn’t it? It gets even better when you generate the task from the Event Viewer. Here you repeat much the same process, except that the task is generated from the event itself instead of the other way around.

Attach
Figure 1. Using the Basic Setting to Attach a Task to an Event

When you create an automated task from the Event Viewer, use the following procedure:

  1. First locate the event you want to attach the task to. You can either drill down to the event or create a filter to locate the event.
  2. Next, either right-click on the event to select Attach Task To This Event or use the action pane to click on the same command.
  3. This automatically launches the Basic Task wizard.
  4. Run through the wizard’s panes to generate the task.

The advantage of using this method to create the task is that it automatically fills in all of the information required to generate the trigger from the event. The disadvantage is that you can only create a basic task using this method. Of course, once the task is created, you can go to the Task Scheduler to add features and properties to the task, but this requires more steps to do so.

Generate-a-Task
Figure 2. Generate a Task from an Event

The last method is to use the command line to link a task to an event. To do so, you will need several values:

  • The Event Log from which the event is generated
  • The source of the event
  • The event ID

These values can be obtained either through the Event Viewer or through the wevtutil.exe command using the proper switches. For example, you might use:

wevtutil qe Security /c:n /rd:true /f:text

which would query the Security Event Log to obtain the latest events by reversing the list of events (/rd:true) and displaying then in text format (/f:text) as opposed to the default XML format. In this command line, the value for n should be a number indicating how many events you want returned by the command.

Then, once you have the values you need, you can use the Task Scheduler command to generate the task. For example, you might use:

schtasks /create /TN taskname /TR action /SC ONEVENT /EC System /MO *[System/EventID=IDnumber]

where taskname is the name you want to assign to the task, action is the action to perform, and IDnumber is the ID number of the event which will act as a trigger for the task. In this example, the source Event Log is the Systemlog. The task schedule is based on the occurrence of the event and is modified to identify the event ID.

As you can see, the combination of the Event Log with the Task Scheduler opens the door for several system management activities. And, since Vista offers a much more detailed and rich event management structure, the possibilities are endless. Tasks can be generated on one machine and exported in XML format to be imported to any other system.

In addition, tasks can run either locally or remotely. This is because Vista includes an updated implementation of Microsoft’s remote management infrastructure: Windows Remote Management (WinRM). In the next article, we will examine the remoting capabilities of the Vista Event Log as we take an in-depth look at WinRM and its use as the engine for collecting events from remote machines and sending them to a central event collector system.

About the Authors

Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server Codenamed “Longhorn” for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.

Resnet

Hot Topics

The Top 5 Internal Security Threats

For years, the specter of viruses, trojans and worms caused many a chief security officer to lose sleep. But it’s the enemy within that is now prompting IT staffers to ramp up security efforts. According to Forrester Research, the majority of security breaches involve internal employees, with some estimates as high as 85 percent.

Cool Tools and Tips

How to Audit Server Room Security

The server room is a service provider. Anything that disrupts — or has the potential to disrupt — the services fulfilled by the server room is a vulnerability that must be addressed promptly. It is critical to periodically conduct an audit to identify risks that affect the physical security, practices and continuity of the server room.

Fifty Critical Alerts for Windows Servers

Identify the most important events generated by your windows servers for quick and efficient resolution. The strategic benefit of monitoring these critical events combined with a robust resolution strategy is significant for the reduction of IT costs while ensuring increased service availability and enhanced security for your enterprise.

Industry News

USDA Admits to Massive Data Breach

USDA officials said the agency became aware of the potential exposure of Social Security numbers on April 13, when a funding recipient notified the agency that she was able to ascertain identifying information on the government web site.

Lawmakers Decry Continued Vulnerability of Federal Computers

Recent hacks into government networks that maintain sensitive information have generated a growing recognition that current federal mandates are inadequate to prompt improved security.