New EventTracker 5.6 and Managing Change in Vista

Manage Change in Windows Vista

Microsoft has made some considerable changes in the Windows Vista Event Log. How do those changes affect system auditing and how will they change the way you monitor systems? This article is the first in a series that demystifies the Vista Event Log.

Managing change in any network is a daunting task. You have to really know what is happening to be able to understand how your network evolves with use. In Windows, the best way to find out what is going on is to audit all system and user activity. As you probably know, the only way to do this is to use a two-part approach. First, you must create an audit policy. Second, you have to indicate which objects and which users you want to audit.

Turning on the audit policy is done through either the Local Security Policy (LSP) or through Group Policy. You use the Local Security Policy if you want to audit a single computer or if it is part of a workgroup. In previous editions of Windows, you had to put every policy element into a single LSP, but now Windows Vista supports multiple local policies which means that you can create different policies for different users.

The real power of policy though lies with Group Policy. That’s because it provides centralized policy deployment to multiple systems—create the policy once and deploy it to any number of systems. Of course, to use Group Policy, you must have an Active Directory and all of the systems you want to control must be members of that domain. This is true for all current versions of Windows, including Windows Vista. With Vista, Group Policy will now contain over 2,450 settings that can be centrally controlled.

Despite the fact that Vista now brings 800 new settings to Group Policy management, it has not changed in terms of Audit Policies. It still allows you to audit nine different types of events just as you could in Windows XP and Windows Server 2003 (see Figure 1). Whether you use Group Policy or the LSP, you will need to turn on each of the events you want to monitor. This is only the first part of the auditing process.

Vista LSP
Figure 1. The Vista LSP and Audit Policy

The second step is to change the security descriptor of the items you want to audit. For example, if you want to audit file access on a given shared folder, you’ll need to view its Properties, then its Security settings and finally, its Advanced Security settings, move to the Audit tab and then select who you want to audit. Fortunately, you can use groups to monitor the activities of all the users in your organization which makes it simpler to assign. You’ll have to repeat this activity on each server or workstation you want to monitor and for each object you need to watch.

Audited events are recorded in the Security Event Log and can be seen through the Event Viewer. Since events are recorded locally on each system that is affected, you need to visit each and every system to obtain a global picture of events on your network. This is a bit tedious if you don’t have an event collection mechanism—or a system that automatically collects key events and forwards them to a central location.

If you’re using Vista, then you can actually get Vista itself to forward the events. That’s right; Vista’s Event Log can now automatically act on events and send them to a central location, which until the release of Windows Server Codenamed “Longhorn” sometime next year, will have to be another Vista system. In addition, if you’re using Vista, you’ll soon discover that it records a host of events that were unheard of in previous versions of Windows.

In these previous versions, Microsoft used a number of different mechanisms to record events. Many products and sub-features of Windows recorded information in their own logs as if they didn’t even know the Event Log existed. It’s no wonder that most administrators didn’t even bother to verify any logs unless an untoward event occurred and they were spurred on by others: security officers for example. It was just too much work. With Vista, most of these tools now record events properly and store them into the Event Log. This is bound to make your life easier, but of course, only when all your systems have been upgraded to Vista. Isn’t that always the case? You have to perform more work to reduce the amount of work you have to do.

In our next article, we’ll examine how Vista’s Event Viewer now categorizes events to make it easier to understand what changes have been performed on the system. We’ll also look at how Vista provides detailed information on events, demystifying those arcane numbers and messages you could never understand. Perhaps then, you’ll think it is reason enough to move forward with your migration.

About the Authors

Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration for Realtime Publishers as well as the Complete Reference to Windows Server Codenamed “Longhorn” for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.


Industry News

Security Flaws Haunt PDF, OpenOffice Users

Serious security vulnerabilities in two desktop applications could allow malicious hackers to plant malicious code on millions of computers. The more serious of the two is a cross-site scripting bug in Adobe’s ever-present Acrobat Plug-In, which fails to properly validate user-supplied data.

EventTracker Update

EventTracker 5.6 is now available

EventTracker 5.6 includes two major feature enhancements: Collection Point architectural enhancement and suspicious network activity monitoring.

The Collection Point feature is designed to enable multiple deployments of EventTracker to forward their respective log data to a central location from where reports can be generated.

The Suspicious Network Connection Monitoring feature has been added to the EventTracker Agent. The EventTracker Agent will now monitor all connections on the specific systems and map them to known threats.

The Suspicious Traffic Analysis option in the EventTracker Console is a report that gives detailed information of various suspicious connections in the enterprise.

Event Wiz

Event: Id 1018

Source: MSExchangeDSAccess

Description: Database is damaged error message. This means that online backup cannot complete because the database is damaged.

Resolutions include: Usability Improvements – PATROL for Exchange Servers contain several usability improvements.

License Management – OneKey license management software controls BMC Software product licenses, thereby reducing the time and attention that you must devote to license and password administration.

Complete resolution information from EventTracker KB