I'm responsible for security at my company, but I rely on local administrators to regularly check their Security logs for failed logon attempts and other suspicious events. How can I determine whether the local administrators are conscientiously checking their logs?
To detect when someone views or dumps the Security log, enable the Audit privilege use policy on each server. To enable this policy on all computers in your domain, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the root of the domain, select Properties, click the Group Policy tab, then edit Default Domain Policy. Maneuver to \computer configuration\windows settings\security settings\local policies\audit policy. Double-click Audit privilege use, and enable auditing for both success and failure, as Figure 2 shows.
Then, you need to do occasional spot checks of the Security log and look for occurrences of event ID 578 in which the description lists the object server as EventLog and the privileges as SeSecurityPrivilege, as Figure 3 shows. Windows 2000 logs the EventLog event and the SeSecurityPrivilege description whenever someone uses Event Viewer to access the Security log or uses a program such as Dumpel from the Microsoft Windows 2000 Resource Kit to dump the log. Viewing or dumping a log requires a special right, Manage auditing and security log—the short name of which is SeSecurityPrivilege. This right lets you change the audit settings on files and other objects and access the Security log. When a user invokes the right to access the Security log, Win2K lists the object server as the EventLog.
Of course, the presence of event ID 578 doesn't mean that your administrators are fastidiously checking the log. Perhaps they merely opened Event Viewer, looked at the first page of events, then closed Event Viewer. The complete absence of the event for a long time, however, does indicate that no one is checking the log.
Manually checking the Security log is time-consuming and, because of the huge quantity and cryptic nature of the data in the log, inefficient and error prone. I recommend that you automate some portion of monitoring Security logs. You can buy a sophisticated event-log monitoring and reporting tool, such as Symantec's Intruder Alert, or you can develop your own solution. Some administrators schedule a script to run regularly and dump the Security log of each important computer to text files. Then, the script merges the text files into a Microsoft SQL Server database and runs a query that collects all the suspicious events into a report, which the script emails to the administrator. The administrator can then view reports that show only the activity he or she needs to know about.
