Monitoring Security Events

Monitoring Security Events
You can't keep an eye on your computer—let alone all the other computers on your network—all the time. Although you might have put in place all the proper safeguards to protect your data from unauthorized access (such as strong passwords, appropriate permissions, and a firewall), you can't be sure that those safeguards are always working properly. By taking advantage of improper settings inadvertently made by a user or simply by making a determined effort, an attacker might still gain access to resources that should be off limits.

Fortunately, Microsoft Windows XP Professional and Microsoft Windows 2000 provide the ability to audit your security setup, by recording attempts to access objects on the system, and by recording security-sensitive changes to the system's configuration. When properly configured, Windows monitors usage of a computer, allowing you to spot any unauthorized events or other security lapses. Using this information, you can plug any security holes to prevent a recurrence.

Windows records security events in the Security log, one of three logs that you can peruse in Event Viewer. (The others are the Application log and the System log. Computers running Microsoft Windows 2000 Server might have additional logs, including Directory Service, DNS Server, and File Replication Service.) In this chapter, we explain how to configure your system to audit security events, offer some suggestions on which events to audit, and show you how to work with the Security log in Event Viewer.