Continuously monitoring and auditing of your network is an essential part of protecting against malicious or unusual activity.  With the average cost of a security breach to a company being between £600k – £1.15m; it is imperative that organisation engage in proactive monitoring and auditing to ensure action is taken at the earliest stages to minimise damage, loss and maintain Cyber-health and wellbeing of the network.

The three most common ways to audit Windows Server 2016 are:

  •         Event Logs
  •         Auditing
  •         Audit Collection Services

Event Logs

Event logs record the activity on a computer or network. When time is taken to understand and configure your auditing correctly, the majority of logged events that have some security significance. Event logs are the first thing to look at during any IT security investigations.

Archive your event logs; if you do detect an attack, you will have the ability to look at previous event logs and assess how and when the network was compromised.

Regular back-ups of the event logs should be made and stored in a separate location from the network.  Attackers will often attempt to scrub event logs to prevent identification.

Auditing

Auditing policies enable you to record a monitor of activities found on the Windows security log. A thorough examination of these auditing logs will identify issues that need further investigation. Auditing successful activities allow the auditor to understand regular daily activities and provides documentation of changes; this will improve identifying the action or change that led to a failure or a breach. Logging failed attempts can highlight potential malicious hackers or unauthorised users.

Your auditing policy specifies the categories of security-related events that you want to audit. Here are the basic policy settings you can configure:

  •         Audit account logon events
  •         Audit account management
  •         Audit directory service access
  •         Audit logon events
  •         Audit object access
  •         Audit policy change
  •         Audit privilege use
  •         Audit process tracking
  •         Audit system events

Audit Collection Services

Windows Server provides inbuilt tools for recording security logs from servers running Windows Server and storing them in a centralised location to simplify security auditing and log analysis

Summary

Active Monitoring and Auditing of Windows Server 2016 is fundamental for investigating security incidents, troubleshooting issues and optimising the IT environment. Configure your logs according to best practices to reduce the volume of useless log data.

*NCSC common Cyberattacks