Transcript Quick Net Report Compliance Presentation

Net Report Microsoft WMI Dashboard Summary
Third Quarter 2006
Agenda
•
•
•
•
•
•
•
1. WMI Dashboard Concept
2. WMI Dashboard Structure & Navigation
3. Glossary & Lexicon
4. Section 1: General WMI Log Activity Statistics
5. Section 2: Security Log Event Statistics
6. Section 3: System Log Activity
7. Section 4: File/Directory Access Statistics
July 17, 2015
2
1. WMI Dashboard Concept
July 17, 2015
3
WMI and Net Report
Windows Management Instrumentation (WMI):
“.. an API in the Windows OS enabling devices and systems in a network,
(i.e. enterprise networks) to be managed and controlled, setting
information on workstations, applications and networks…”
Net Report WMI Dashboards:
• Analyze and Report on Microsoft (Windows  2000, NT, 2003, XP)
Event Viewer Logs 24/7:
• Application Logs.
• Security Logs.
• System Logs.
• Increase Visibility on your Enterprise’s Applications,
Security & Systems in real-time.
July 17, 2015
4
Net Report Event Viewer Log Analysis
Focus on Potential Security Threats:
• Your Enterprise’s Application, Security & System risks in real-time.
Check Security Policies are Respected & Appropriate:
• Track User Trends 24/7, follow suspicious out-of-hours activity.
Ensure Data Confidentiality, Integrity & Availability:
• Benefit from Net Report auto-audit options.
Economize your Enterprise Management Costs & TCO:
• Benefit from our Centralized Business Intelligence Solution.
Benefit from Versatile Drill-down Features
• Net Report Filter to drill-down to the exact data you need, to
avoid you wading through reams of log data, we highlight the
important information!
July 17, 2015
5
Net Report Dashboard Concept
Consolidated Dashboards
•
Net Report interprets and presents your Event
log data Statistics in easy-to-read, categorized,
graphical Dashboards.
Customized Dashboards
•
•
Dashboards generated with the Parameters
you entered in the Net Report Web Portal.
Add your company logos.
Chronologically Interlinked Dashboards
•
Dynamic Previous and Next arrows enable
you to navigate between reports from different
days, months and years.
Versatile Drill-down
•
Intuitive drill-down to the information you need.
July 17, 2015
6
Net Report WMI Dashboard Example
•
•
•
•
•
•
July 17, 2015
General WMI Statistics for all three Logs:
Application, Security and System Logs.
Graphs of Events by Hour of the Day.
Top n Log Activity per User.
Number of Security Events by Category.
Top Failed Logons.
Detailed Tracking: Most Active File/Directory
user, most accessed File/Directory.
7
2. WMI Dashboard Structure & Navigation
July 17, 2015
8
Four Major Sections
1. General WMI Three-Log Activity Statistics
• What is the number of specific event types logged (in the
Application, Security and System Logs) by hour for my organization?
• Who is clearing their Security Audit Log?
• What Log Activity Events are logged by my Enterprise?
2. Security Log Event Statistics
• What are the Successful/Failure Logon/Logoff Event Figures for my
enterprise? Is there any Suspicious Out-of-hours Activity?
Net Report
• Is my Enterprise a victim of Privilege Escalation? Is the Security
Privilege Use Policy appropriate?
• Who is changing Security Policy within my Enterprise?
• Who is making Account changes – do they have Admin rights?
WMI
Dashboards
3. System Log Statistics
• What events are being logged by Windows system components?
4. File/Directory Access Statistics
• Who accesses Files/Directories the most often?
• What Files/Directories do they access the most?
• Is my Corporate Data Security Policy Effective?
July 17, 2015
9
Get the Info you Need: Bookmarks
1. General WMI Three-Log Activity Statistics
2. Security Log Event Statistics
3. System Log Statistics
4. File/Directory Access Statistics
July 17, 2015
10
Front Page Hyperlinks
1. General Three-Log
Activity Statistics
1. General Three-Log
Activity Statistics
1. General Three-Log
Activity Statistics
2. Security Log Event Statistics
2. Security Log Event Statistics
1. General Three-Log Activity Statistics
4. File/Directory Access Statistics
July 17, 2015
3. System Log Statistics
11
Front Cover – Interactive Features
Bookmarks
Dashboard Home
Link via the WMI
Icon
Previous and Next
Arrows
Date and Time
Dashboard was
Generated & for the
Computer Names or
IP Addresses
Net Report Web Site
and Page Numbers
Key Points:
Hyperlinks: Each Table, Graph, Diagram and label has buttons or text in blue which are hyperlinked to the relevant point in the
Dashboard Report (“Dashboard”). Simply click the hyperlink or button you are interested in to go to the detailed
breakdown in the Dashboard.
Dashboard Home Link via the WMI Icon: click the WMI icon
in the top right corner on any page
to return to the Dashboard home page.
Previous and Next Arrows: Easily navigate between Dashboards from month-to-month or day-to-day
(i.e. with Daily or Monthly Dashboards).
Date and Time Dashboard was Generated: You can also add additional Parameters via the Net Report Web Portal. When the
Parameter is IGNORE this means that no information has been submitted or that no information is available.
Computer Name or IP Address: the computer names or IP Addresses which you selected.
Bookmarks: Easily view the Table of Contents for the Dashboard, easily navigate through the
Dashboard at any time via the Bookmarks tree structure in the left pane of the Dashboard.
July 17, 2015
12
Front Cover – Bookmarks
Bookmarks:
Your Table of Contents
• Importance: View the Bookmarks tab in the left
pane of your *.pdf Dashboard to use the Table of
Contents.
• Tree Structure: Click the plus sign adjacent to the
Report title you are interested in to expand the
branches and access the Report.
• Easy Navigation: Click the Report title you want,
to go directly to the sub-report in the Dashboard.
• Customized Parameters: You specify the Parameters
you want in the Net Report Web Portal. For example,
the Top n … you select whether you want the top 5,
10, 60, 100 and so on.
• Note: This Presentation follows the tree structure
in the Bookmarks tab to your left.
July 17, 2015
13
3. Glossary & Lexicon
July 17, 2015
14
Glossary (1) Log Definitions
Log Types
Application Log: Contains events logged
by applications or programs.
• Security Log: Records events such as valid
and invalid logon attempts, as well as events
related to resource such as creating, opening or
deleting files or other objects. An administrator
can specify what events are recorded in the
security log. For example, if you have enabled
logon auditing, attempts to log on to the system
are recorded in the security log.
System Log: Contains events logged by
Windows System components.
July 17, 2015
15
Glossary (2) Event Definitions
Event Types
The format and contents of the event description vary, depending on the event type. The
description is often the most useful piece of information, indicating what happened or the
significance of the events. The event logs record five types of events:
• Error Event: A significant problem, such as loss of data or loss of functionality. For example,
if a service fails to load during startup, an Error will be logged.
Warning Event: An event that is not necessarily significant, but may indicate a possible
future problem. For example, when disk space is low, a Warning event will be logged.
Information Event: An event that describes the successful operation of an application,
driver, or service. For example, when a network driver loads successfully, an Information
event will be logged.
Success Audit: An audited security access attempt that succeeds. For example, a user’s
successful attempt to log on the system will be logged as a Success Audit event.
Failure Audit: An audited security access attempt that fails. For example, if a user tries
to access a network drive and fails, the attempt will be logged as a Failure Audit event.
July 17, 2015
16
Dashboard Icons
Successful User
Successful log on
Failed log on
Services
Other
Event Log Activity
File Directory Access
WMI Events
User Event Log Activity
Go to Data: goes to the detailed data feeding the graph you are viewing.
Go to Graph: goes to the graph fed by the detailed data you are viewing.
Home: goes to the first page of the Net Report WMI Dashboard.
July 17, 2015
17
Glossary (3) Event ID Definitions
Event ID Definitions
• Universal Group: A security or distribution group that can contain users, groups, and computers
from any domain in its enterprise as members. Universal security groups can be granted rights and
permissions on resources in any domain in its enterprise.
• Security Descriptor: A data structure that contains security information associated with a
protected object. Security descriptors include information about who owns the object, who
can access it and in what way, and what types of access are audited of members of
administrative groups. Note: every 60 minutes on a domain controller a background thread
searches all members of administrative groups (such as domain, enterprise and schema
administrators) and applies a fixed security descriptor on them. This event is logged.
• SECURITY_DISABLED: in the formal, name, means that this group cannot be used
to grant permissions in access checks.
July 17, 2015
18
Lexicon: Event ID Examples
• 624: A User Account was created.
• 625: A User Account Type Change.
• 626: User Account enabled.
• 627: A User Password was changed.
• 628: A User Password was set.
• 629: User Account disabled.
• 630: A User Account was deleted.
• 631: Security Enabled Global Group created.
• 632: A Member was added to a global group.
• 633: A Member was removed from a local group.
• 634: A Global Group was deleted.
• 635: Security Disabled Local Group created.
• 636: A Member was added to a local group.
• 637: A Member was removed from a local group.
• 638: A Local Group was deleted.
• 639: A Local Group account was changed.
• 640: General Account Database change.
• 641: A Global Group Account was changed.
• 642: A User Account was changed.
• 644: A User Account was auto-locked.
• 645: A Computer Account was created.
• 646: A Computer Account was changed.
• 647: A Computer Account was deleted.
• 648: A Local Security Group with Security
Disabled was created.
• 649: A Local Security Group with Security
Disabled was changed.
July 17, 2015
• 650: A Member was added to a SecurityDisabled Local Security Group.
• 651: A Member was removed from a Securitydisabled Local Security Group.
• 652: A Security-disabled Local Group was deleted.
• 653: A Security-disabled Global Group was created.
• 654: A Security-disabled Global Group was changed.
• 655: A Member was added to a Security-disabled
Global Group.
• 656: A Member was removed from a Security-disabled
Global Group.
• 657: A Security-Disabled Global Group was deleted.
• 658: A Security-Enabled Universal Group.
• 659: A Security-Enabled Universal Group was changed.
• 660: A Member was added to a Security-Enabled
Universal Group.
• 661: A Member was removed from a Security-enabled
Universal Group.
• 662: A Security-enabled Universal Group was deleted.
• 663: A Security-disabled Universal Group was created.
• 664: A Security-disabled Universal Group was changed.
• 665: A Member was added to a Security-Disabled
Universal Group.
• 666: A Member was removed from a Security-disabled
Universal Group.
• 667: A Security-disabled Universal Group was deleted.
• 668: A Group was changed.
• 684: Set the Security Descriptor.
• 685: Name of an Account was changed.
19
4. Section 1: General WMI Log Activity Statistics
July 17, 2015
20
Three-Log Statistics: Front Page (1)
Hourly Log Activity
Log(s) Used: Application, Security & System.
Hyperlink! Click for the Detail You Need!
Importance: Note potential security threats
through analysis of event types 24/7. e.g. note outof-hours activity, Warning/Error peaks to mitigate
Security threats.
Hyperlinks: Click the blue text to go directly to
the details!
Log Activity for the Most Active
Users Sorted by the Number of Events
Log(s) Used: Application, Security & System.
Hyperlink! Click for the Detail You Need!
July 17, 2015
Importance: focus on the most active users, with
real-time at-a-glance information on potential
problems, significant errors and audited failure and
success events.
Hyperlinks: click the blue text to go directly to
the details!
21
Three-Log Statistics: Front Page (2)
Event Types of the Day
Hyperlink! Click for the Detail You Need!
Log(s) Used: Application, Security & System.
Importance: Note the overall trend in the
Daily Event Types to help you follow general
Computer and Network Usage. e.g. Elevated
Failure Audit Event types indicating a potential
Security Threat.
Hyperlinks: click the button to go directly to
the details!
Security Log Clearing
Hyperlink! Click for the Detail You Need!
July 17, 2015
Log(s) Used: Security Log.
Importance: Security Log Clearing may
indicate potentially dangerous activity, clearing
any trace of “illegal” user activity along with the
date and time. E.g. Privilege use failure audits,
repetitive logon failures, policy changes etc…
Hyperlinks: click to go directly to the details!
22
General Log Activity Statistics
Log Activity by Hour
Log(s) Used: Application, Security & System.
Importance: Note potential security threats via analysis
of event types on an hourly basis. e.g. note out-of-hours
activity, Failure Audits, Warning/Error peaks…
Hyperlinks: Click the Go to Graph button to go directly
to the graph!
Security Log Cleared
Log(s) Used: Security Log.
Importance: Security Log Clearing may indicate
potentially dangerous activity, clearing any trace of “illegal”
user activity along with the date and time e.g. privilege use
failure audits, repetitive logon failures, policy changes etc…
Hyperlinks: source link on Page 1.
Log Activity for the Top n Active
Users Sorted by the Number of Events
Log(s) Used: Application, Security & System.
Importance: focus on the most active users,
with real-time at-a-glance information on potential
problems, significant errors, Warnings and audited
failure and success events.
Hyperlinks: source link on Page 1.
July 17, 2015
23
5. Section 2: Security Log Event Statistics
July 17, 2015
24
Security Log Event Statistics: Front Page
Number of Security Events by
Category and Security File Activity
Hyperlink! Click for the Detail!
Log(s) Used: Security Log.
Importance: Note the categories treated:
• System Events: note general System Event trends.
• Logon/Logoff events: note suspicious errors.
• Object Access: note illegal object access.
• Privilege Use: note privilege escalation..
• Detailed Tracking: note file/directory access.
• Policy Change: note irregular Policy Change.
• Account Management: note erroneous acts.
• Account Logon: note inappropriate activity.
• Security Log File Activities: note general trends.
Hyperlinks: click and go to the details!
Top Failed/Successful Logons/Logoffs by
User
Hyperlink! Click for the Details!
July 17, 2015
Log(s) Used: Security Log.
Importance: Failed Logon statistics on Inconsistent
Passwords can help detect potential Intrusions, refine
Internal Password Policy, reduce an over-profusion of
multiple company Passwords...
Hyperlinks: click and go to the
details!
25
Logon/Logoff Activity by Event, User
Top n Successful Logons
and Logoffs sorted by the number
of Events
Importance: Follow employee logon/
logoff activity (with Event ID and Date and
Time), note suspicious out-of-hours activity,
verify that User Memberships are
appropriate, verify that there is not an overprofusion of multiple corporate Passwords.
Hyperlinks: source link on Page 1.
Log Used: Security Log.
Top n Failed Logons by User
sorted by the number of Events
Importance: Failed Logon statistics on
Inconsistent Passwords can help detect
potential Intrusions, refine Internal Password
Policy, Reduce an over-profusion of multiple
company Passwords...
Hyperlinks: source link on Page 1.
Log Used: Security Log.
July 17, 2015
26
Security Log Activity by Hour/Active User
Security Log Activity by Hour or
the Day
Importance: 24/7 surveillance of
Success/Failure Audit Event Types by
Hour. Note escalation of Failure Audits
representing potential threats, along with
suspicious out-of-hours Failure Audits.
Hyperlinks: source link is on Page 1.
Log Used: Security Log.
Security Log Activity for the Top
n Active Users
Importance: monitor the Success/
Failure Audit Event Type Statistics by the
most Active Users. Note Users logging the
most Failure Audit Events representing
potential inside threats.
Hyperlinks: source link is on Page 1.
Log Used: Security Log.
July 17, 2015
27
Security System Events by Hour/Active User
Security Log System Event
Activity by Hour or the Day
Importance: 24/7 surveillance of your
Enterprise Systems’ Health. Monitor
Success/Failure Audit Event Types by
Hour. Note suspicious out-of-hours
System Event category Failure Audits,
along peak trends by hour.
Hyperlinks: source link is on Page 1.
Log Used: Security Log.
Security Log System Event Activity
for the Top n Active Users
Importance: At-a-glance System Health
Check. Note the most Active Users logging
the most Failure Audit Event Types.
Hyperlinks: source link is on Page 1.
Log Used: Security Log.
July 17, 2015
28
Privilege Use by Hour/Active User
Security Log Privilege Use
Activity by Hour of the Day
Importance: Round-the-clock
monitoring of the Privilege Use Category
Event types. Monitor Privilege Escalation,
inappropriate Group Memberships.
Ensures enterprise account security and
reduces the risk of identify theft 24/7.
Hyperlinks: source link on Page 1.
Log Used: Security Log.
Security Privilege Use Activity
for the Top n Active Users
Importance: Privilege Use Category
Failure and Success Audit event types
sorted by the most active users. Monitoring
of Privilege Escalation, Inappropriate Group
Memberships. Ensures enterprise account
security and reduces the risk of identify
theft 24/7.
Hyperlinks: source link on Page 1.
Log Used: Security Log.
July 17, 2015
29
Security Policy Change by Hour/User
Security Log Policy Change Activity by
Hour of the Day
Importance: Keep tabs on the Policy Change
Category Success/ Failure Audit Event Types by
hour of the day. Note suspicious out-of-hours Policy
Change. Note Failure Audit Events by hour and
trends. Adapt the Security for your Enterprise’s
Security Policy accordingly.
Hyperlinks: source link on Page 1.
Log Used: Security Log.
Security Log Policy Change Activity for the
Top n Active Users
Importance: Check that Policy Change Category
events are logged by those with Administrator rights
only. Note any suspicious Policy Change performed
“illegally” (without Administrator rights), monitor the
most active Policy Change users. Keep tabs on the
number of Error, Failure audit Events indicating
potential Security threats.
Hyperlinks: source link on Page 1.
Log Used: Security Log.
July 17, 2015
30
Account Changes/Logon Activity by Hour
List of All Account Changes by
Date and Time
Importance: Check that Account
Changes are performed “legally”, monitor
the Event ID and Action Details 24/7. Note
any suspicious out-of-hours Account
Change Activity.
Hyperlinks: source link on Page 1.
Log Used: Security Log.
Security Account Logon Activity
by Hour of the day/for the Top n
Active Users
Importance: Check that Account
Logons are appropriate 24/7. Note any
suspicious out-of-hours Account Logon
Activity.
Hyperlinks: source link on Page 1.
Log Used: Security Log.
July 17, 2015
31
6. Section 3: System Log Statistics
July 17, 2015
32
System Log Activity by Hour/Active User
System Log Activity by Hour or the
Day
Importance: 24/7 surveillance of
Success/Failure Audit Event Types by Hour.
Note escalation of Failure Audits representing
potential threats, along with suspicious out-ofhours Failure Audits.
Hyperlinks: source link is the table below.
Log Used: System Log.
System Log Activity for the Top
n Active Users
Importance: monitor the Success/
Failure Audit Event Type Statistics by the most
Active Users. Note Users logging the most
Failure Audit Events representing potential inside
threats.
Hyperlinks: source link is the graph above.
Log Used: System Log.
July 17, 2015
33
7. Section 4: File/Directory Access Statistics
July 17, 2015
34
File Directory Access Statistics
Top n Users with their Top n Accessed Files or
Directories
Importance: 24/7 surveillance of the most Active User’s
and their most accessed Files/Directories. Enables you to
monitor sensitive files and directories. Refine the restriction
policy on sensitive Files and Directories to ensure Data
protection. Analyze File/Directory usage, ensure that vital
Files are accessed regularly. The Enterprise Administrator
must configure which Files and Directories must be tracked.
Hyperlinks: source link on Page 1.
Log Used: Object Access category in the Security Log.
Top n Accessed Files or Directories with their Top n
Users
Importance: monitor the most accessed Files/Directories
with their most Active Users. Enables you to monitor sensitive
files and directories. Refine the restriction policy on sensitive
Files and Directories to ensure Data protection. Analyze
File/Directory usage, ensure that vital Files are accessed
regularly. The Enterprise Administrator must configure which Files
and Directories should be tracked.
Hyperlinks: source link on Page 1.
Log Used: Object Access category
in the Security Log.
July 17, 2015
35
Contact us
[email protected]
July 17, 2015
36
Web site:
http://www.net-report.net
Stay in control with Net Report!