370 likes | 494 Views
Net Report Microsoft WMI Dashboard Summary. Third Quarter 2006. Agenda. 1. WMI Dashboard Concept 2. WMI Dashboard Structure & Navigation 3. Glossary & Lexicon 4. Section 1: General WMI Log Activity Statistics 5. Section 2: Security Log Event Statistics
E N D
Net Report Microsoft WMI Dashboard Summary Third Quarter 2006
Agenda • 1. WMI Dashboard Concept • 2. WMI Dashboard Structure & Navigation • 3. Glossary & Lexicon • 4. Section 1: General WMI Log Activity Statistics • 5. Section 2: Security Log Event Statistics • 6. Section 3: System Log Activity • 7. Section 4: File/Directory Access Statistics
WMI and Net Report Windows Management Instrumentation (WMI): “.. an API in the Windows OS enabling devices and systems in a network, (i.e. enterprise networks) to be managed and controlled, setting information on workstations, applications and networks…” Net Report WMI Dashboards: • Analyze and Report onMicrosoft (Windows 2000, NT, 2003, XP) Event Viewer Logs 24/7: • Application Logs. • Security Logs. • System Logs. • Increase Visibility on your Enterprise’s Applications, Security & Systems in real-time.
Net Report Event Viewer Log Analysis • Focus on Potential Security Threats: • Your Enterprise’s Application, Security & System risks in real-time. • Check Security Policies are Respected & Appropriate: • Track User Trends 24/7, follow suspicious out-of-hours activity. • Ensure Data Confidentiality, Integrity & Availability: • Benefit from Net Report auto-audit options. • Economize your Enterprise Management Costs & TCO: • Benefit from our Centralized Business Intelligence Solution. • Benefit from Versatile Drill-down Features • Net Report Filter to drill-down to the exact data you need, to avoid you wading through reams of log data, we highlight the important information!
Net Report Dashboard Concept Consolidated Dashboards • Net Report interprets and presents your Event log data Statistics in easy-to-read, categorized, graphical Dashboards. Customized Dashboards • Dashboards generated with the Parameters you entered in the Net Report Web Portal. • Add your company logos. Chronologically Interlinked Dashboards • Dynamic Previous and Next arrows enable you to navigate between reports from different days, months and years. Versatile Drill-down • Intuitive drill-down to the information you need.
Net Report WMI Dashboard Example • General WMI Statistics for all three Logs: Application, Security and System Logs. • Graphs of Events by Hour of the Day. • Top n Log Activity per User. • Number of Security Events by Category. • Top Failed Logons. • Detailed Tracking: Most Active File/Directory user, most accessed File/Directory.
Four Major Sections • 1. General WMI Three-Log Activity Statistics • What is the number of specific event types logged (in the Application, Security and System Logs) by hour for my organization? • Who is clearing their Security Audit Log? • What Log Activity Events are logged by my Enterprise? • 2. Security Log Event Statistics • What are the Successful/Failure Logon/Logoff Event Figures for my enterprise? Is there any Suspicious Out-of-hours Activity? • Is my Enterprise a victim of Privilege Escalation? Is the Security Privilege Use Policy appropriate? • Who is changing Security Policy within my Enterprise? • Who is making Account changes – do they have Admin rights? Net Report WMI Dashboards • 3. System Log Statistics • What events are being logged by Windows system components? • 4. File/Directory Access Statistics • Who accesses Files/Directories the most often? • What Files/Directories do they access the most? • Is my Corporate Data Security Policy Effective?
Get the Info you Need: Bookmarks 1. General WMI Three-Log Activity Statistics 2. Security Log Event Statistics 3. System Log Statistics 4. File/Directory Access Statistics
Front Page Hyperlinks 1. General Three-Log Activity Statistics 1. General Three-Log Activity Statistics 1. General Three-Log Activity Statistics 2. Security Log Event Statistics 2. Security Log Event Statistics 1. General Three-Log Activity Statistics 3. System Log Statistics 4. File/Directory Access Statistics
Front Cover – Interactive Features Dashboard Home Link via the WMI Icon Bookmarks Previous and Next Arrows Date and Time Dashboard was Generated & for the Computer Names or IP Addresses Net Report Web Site and Page Numbers Key Points: Hyperlinks: Each Table, Graph, Diagram and label has buttons or text in blue which are hyperlinked to the relevant point in the Dashboard Report (“Dashboard”). Simply click the hyperlink or button you are interested in to go to the detailed breakdown in the Dashboard. Dashboard Home Link via the WMI Icon: click the WMI icon in the top right corner on any page to return to the Dashboard home page. Previous and Next Arrows: Easily navigate between Dashboards from month-to-month or day-to-day (i.e. with Daily or Monthly Dashboards). Date and Time Dashboard was Generated: You can also add additional Parameters via the Net Report Web Portal. When the Parameter is IGNORE this means that no information has been submitted or that no information is available. Computer Name or IP Address: the computer names or IP Addresses which you selected. Bookmarks: Easily view the Table of Contents for the Dashboard, easily navigate through the Dashboard at any time via the Bookmarks tree structure in the left pane of the Dashboard.
Front Cover – Bookmarks • Bookmarks: Your Table of Contents • Importance: View the Bookmarks tab in the left pane of your *.pdf Dashboard to use the Table of Contents. • Tree Structure: Click the plus sign adjacent to the Report title you are interested in to expand the branches and access the Report. • Easy Navigation: Click the Report title you want,to go directly to the sub-report in the Dashboard. • Customized Parameters: You specify the Parameters you want in the Net Report Web Portal. For example, the Top n … you select whether you want the top 5, 10, 60, 100 and so on. • Note: This Presentation follows the tree structurein the Bookmarks tab to your left.
Glossary (1) Log Definitions • Log Types • Application Log: Contains events logged by applications or programs. • Security Log: Records events such as valid and invalid logon attempts, as well as events related to resource such as creating, opening or deleting files or other objects. An administrator can specify what events are recorded in the security log. For example, if you have enabled logon auditing, attempts to log on to the system are recorded in the security log. • System Log: Contains events logged by Windows System components.
Event Types • The format and contents of the event description vary, depending on the event type. The description is often the most useful piece of information, indicating what happened or the significance of the events. The event logs record five types of events: • Error Event: A significant problem, such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error will be logged. Warning Event: An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a Warning event will be logged. Information Event: An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, an Information event will be logged. Success Audit: An audited security access attempt that succeeds. For example, a user’s successful attempt to log on the system will be logged as a Success Audit event. Failure Audit: An audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt will be logged as a Failure Audit event. Glossary (2) Event Definitions
Dashboard Icons Successful User Successful log on Failed log on Services Other Event Log Activity File Directory Access WMI Events User Event Log Activity Go to Data: goes to the detailed data feeding the graph you are viewing. Go to Graph: goes to the graph fed by the detailed data you are viewing. Home: goes to the first page of the Net Report WMI Dashboard.
Event ID Definitions • Universal Group: A security or distribution group that can contain users, groups, and computers from any domain in its enterprise as members. Universal security groups can be granted rights and permissions on resources in any domain in its enterprise. • Security Descriptor: A data structure that contains security information associated with a protected object. Security descriptors include information about who owns the object, who can access it and in what way, and what types of access are audited of members of administrative groups. Note: every 60 minutes on a domain controller a background thread searches all members of administrative groups (such as domain, enterprise and schema administrators) and applies a fixed security descriptor on them. This event is logged. • SECURITY_DISABLED: in the formal, name, means that this group cannot be used to grant permissions in access checks. Glossary (3) Event ID Definitions
624: A User Account was created. • 625: A User Account Type Change. • 626: User Account enabled. • 627: A User Password was changed. • 628: A User Password was set. • 629: User Account disabled. • 630: A User Account was deleted. • 631: Security Enabled Global Group created. • 632: A Member was added to a global group. • 633: A Member was removed from a local group. • 634: A Global Group was deleted. • 635: Security Disabled Local Group created. • 636: A Member was added to a local group. • 637: A Member was removed from a local group. • 638: A Local Group was deleted. • 639: A Local Group account was changed. • 640: General Account Database change. • 641: A Global Group Account was changed. • 642: A User Account was changed. • 644: A User Account was auto-locked. • 645: A Computer Account was created. • 646: A Computer Account was changed. • 647: A Computer Account was deleted. • 648: A Local Security Group with Security Disabled was created. • 649: A Local Security Group with Security Disabled was changed. • 650: A Member was added to a Security-Disabled Local Security Group. • 651: A Member was removed from a Security-disabled Local Security Group. • 652: A Security-disabled Local Group was deleted. • 653: A Security-disabled Global Group was created. • 654: A Security-disabled Global Group was changed. • 655: A Member was added to a Security-disabled Global Group. • 656: A Member was removed from a Security-disabled Global Group. • 657: A Security-Disabled Global Group was deleted. • 658: A Security-Enabled Universal Group. • 659: A Security-Enabled Universal Group was changed. • 660: A Member was added to a Security-Enabled Universal Group. • 661: A Member was removed from a Security-enabledUniversal Group. • 662: A Security-enabled Universal Group was deleted. • 663: A Security-disabled Universal Group was created. • 664: A Security-disabled Universal Group was changed. • 665: A Member was added to a Security-Disabled Universal Group. • 666: A Member was removed from a Security-disabled Universal Group. • 667: A Security-disabled Universal Group was deleted. • 668: A Group was changed. • 684: Set the Security Descriptor. • 685: Name of an Account was changed. Lexicon: Event ID Examples
Three-Log Statistics: Front Page (1) Hourly Log Activity Log(s) Used: Application, Security & System. Importance: Note potential security threats through analysis of event types 24/7. e.g. note out-of-hours activity, Warning/Error peaks to mitigate Security threats. Hyperlinks: Click the blue text to go directly to the details! Hyperlink! Click for the Detail You Need! Log Activity for the Most Active Users Sorted by the Number of Events Log(s) Used: Application, Security & System. Importance: focus on the most active users, with real-time at-a-glance information on potential problems, significant errors and audited failure and success events. Hyperlinks: click the blue text to go directly to the details! Hyperlink! Click for the Detail You Need!
Three-Log Statistics: Front Page (2) Event Types of the Day Log(s) Used: Application, Security & System. Importance: Note the overall trend in the DailyEvent Types to help you follow general Computer and Network Usage. e.g. Elevated Failure Audit Event types indicating a potential Security Threat. Hyperlinks: click the button to go directly to the details! Hyperlink! Click for the Detail You Need! Security Log Clearing Log(s) Used: Security Log. Importance: Security Log Clearing may indicate potentially dangerous activity, clearing any trace of “illegal” user activity along with the date and time. E.g. Privilege use failure audits, repetitive logon failures, policy changes etc… Hyperlinks: click to go directly to the details! Hyperlink! Click for the Detail You Need!
General Log Activity Statistics Log Activity by Hour Log(s) Used: Application, Security & System. Importance: Note potential security threats via analysis of event types on an hourly basis. e.g. note out-of-hours activity, Failure Audits, Warning/Error peaks… Hyperlinks: Click the Go to Graph button to go directly to the graph! Security Log Cleared Log(s) Used: Security Log. Importance: Security Log Clearing may indicate potentially dangerous activity, clearing any trace of “illegal” user activity along with the date and time e.g. privilege use failure audits, repetitive logon failures, policy changes etc… Hyperlinks: source link on Page 1. Log Activity for the Top n Active Users Sorted by the Number of Events Log(s) Used: Application, Security & System. Importance: focus on the most active users, with real-time at-a-glance information on potential problems, significant errors, Warnings and audited failure and success events. Hyperlinks: source link on Page 1.
Security Log Event Statistics: Front Page • Number of Security Events by Category and Security File ActivityLog(s) Used: Security Log. • Importance: Note the categories treated: • System Events: note general System Event trends. • Logon/Logoff events: note suspicious errors. • Object Access: note illegal object access. • Privilege Use: note privilege escalation.. • Detailed Tracking: note file/directory access. • Policy Change: note irregular Policy Change. • Account Management: note erroneous acts. • Account Logon: note inappropriate activity. • Security Log File Activities: note general trends. • Hyperlinks: click and go to the details! Hyperlink! Click for the Detail! Top Failed/Successful Logons/Logoffs by UserLog(s) Used: Security Log. Importance: Failed Logon statistics on Inconsistent Passwords can help detect potential Intrusions, refine Internal Password Policy, reduce an over-profusion of multiple company Passwords... Hyperlinks: click and go to thedetails! Hyperlink! Click for the Details!
Logon/Logoff Activity by Event, User Top n Successful Logons and Logoffs sorted by the number of Events Importance: Follow employee logon/ logoff activity (with Event ID and Date and Time), note suspicious out-of-hours activity, verify that User Memberships are appropriate, verify that there is not an over-profusion of multiple corporate Passwords. Hyperlinks: source link on Page 1. Log Used: Security Log. Top n Failed Logons by User sorted by the number of EventsImportance: Failed Logon statistics on Inconsistent Passwords can help detect potential Intrusions, refine Internal Password Policy, Reduce an over-profusion of multiplecompany Passwords... Hyperlinks: source link on Page 1. Log Used: Security Log.
Security Log Activity by Hour/Active User Security Log Activity by Hour or the DayImportance: 24/7 surveillance of Success/Failure Audit Event Types by Hour. Note escalation of Failure Audits representing potential threats, along with suspicious out-of-hours Failure Audits. Hyperlinks: source link is on Page 1. Log Used: Security Log. Security Log Activity for the Top n Active UsersImportance: monitor the Success/Failure Audit Event Type Statistics by the most Active Users. Note Users logging the most Failure Audit Events representing potential inside threats. Hyperlinks: source link is on Page 1. Log Used: Security Log.
Security System Events by Hour/Active User Security Log System Event Activity by Hour or the DayImportance: 24/7 surveillance of your Enterprise Systems’ Health. Monitor Success/Failure Audit Event Types by Hour. Note suspicious out-of-hours System Event category Failure Audits, along peak trends by hour. Hyperlinks: source link is on Page 1. Log Used: Security Log. Security Log System Event Activity for the Top n Active UsersImportance: At-a-glance System Health Check. Note the most Active Users logging the most Failure Audit Event Types. Hyperlinks: source link is on Page 1. Log Used: Security Log.
Privilege Use by Hour/Active User Security Log Privilege Use Activity by Hour of the DayImportance: Round-the-clock monitoring of the Privilege Use Category Event types. Monitor Privilege Escalation, inappropriate Group Memberships. Ensures enterprise account security and reduces the risk of identify theft 24/7. Hyperlinks: source link on Page 1. Log Used: Security Log. Security Privilege Use Activity for the Top n Active UsersImportance: Privilege Use Category Failure and Success Audit event types sorted by the most active users. Monitoring of Privilege Escalation, Inappropriate Group Memberships. Ensures enterprise account security and reduces the risk of identify theft 24/7. Hyperlinks: source link on Page 1. Log Used: Security Log.
Security Policy Change by Hour/User Security Log Policy Change Activity by Hour of the DayImportance: Keep tabs on the Policy Change Category Success/ Failure Audit Event Types by hour of the day. Note suspicious out-of-hours Policy Change. Note Failure Audit Events by hour and trends. Adapt the Security for your Enterprise’s Security Policy accordingly. Hyperlinks: source link on Page 1. Log Used: Security Log. Security Log Policy Change Activity for the Top n Active UsersImportance: Check that Policy Change Category events are logged by those with Administrator rights only. Note any suspicious Policy Change performed “illegally” (without Administrator rights), monitor the most active Policy Change users. Keep tabs on the number of Error, Failure audit Events indicating potential Security threats. Hyperlinks: source link on Page 1. Log Used: Security Log.
Account Changes/Logon Activity by Hour List of All Account Changes by Date and TimeImportance: Check that Account Changes are performed “legally”, monitor the Event ID and Action Details 24/7. Note any suspicious out-of-hours Account Change Activity. Hyperlinks: source link on Page 1. Log Used: Security Log. Security Account Logon Activityby Hour of the day/for the Top n Active UsersImportance: Check that Account Logons are appropriate 24/7. Note any suspicious out-of-hours Account Logon Activity. Hyperlinks: source link on Page 1. Log Used: Security Log.
System Log Activity by Hour/Active User System Log Activity by Hour or the DayImportance: 24/7 surveillance of Success/Failure Audit Event Types by Hour. Note escalation of Failure Audits representing potential threats, along with suspicious out-of-hours Failure Audits. Hyperlinks: source link is the table below. Log Used: System Log. System Log Activity for the Top n Active UsersImportance: monitor the Success/Failure Audit Event Type Statistics by the most Active Users. Note Users logging the most Failure Audit Events representing potential inside threats. Hyperlinks: source link is the graph above. Log Used: System Log.
File Directory Access Statistics Top n Users with their Top n Accessed Files or DirectoriesImportance: 24/7 surveillance of the most Active User’s and their most accessed Files/Directories. Enables you to monitor sensitive files and directories. Refine the restriction policy on sensitive Files and Directories to ensure Data protection. Analyze File/Directory usage, ensure that vital Files are accessed regularly. The Enterprise Administrator must configure which Files and Directories must be tracked. Hyperlinks: source link on Page 1. Log Used: Object Access category in the Security Log. Top n Accessed Files or Directories with their Top n UsersImportance: monitor the most accessed Files/Directories with their most Active Users. Enables you to monitor sensitive files and directories. Refine the restriction policy on sensitive Files and Directories to ensure Data protection. Analyze File/Directory usage, ensure that vital Files are accessed regularly. The Enterprise Administrator must configure which Files and Directories should be tracked. Hyperlinks: source link on Page 1. Log Used: Object Access categoryin the Security Log.
Web site: http://www.net-report.net Stay in control with Net Report!