You are running a large production environment with many Windows servers.
There are multiple forests in the network and some forests have multiple domain controllers.
Your Windows server security is paramount – you want to track and audit suspicious activities and view detailed Windows reports extracted from the Windows servers event logs.
Read the article, with images and design here > https://www.xplg.com/windows-servers-security-suspicious-activities/
Looking for suspicious activities in Windows is important for many reasons:
- There are more virus and malware for Windows than Linux.
- People often leave their remote desktop sessions running when they disconnect, making those sessions prime targets for unauthorized takeover.
- Service accounts are often made domain administrators circumvent access issues.
- Known passwords of service accounts become open backdoors for hackers.
- Antivirus and local firewalls are sometimes disabled to get acceptable application performance.
- Patching cycles are missed or sometimes altogether ignored, making Windows systems vulnerable to potential attacks.
Bottom line: Prevention is better than cure, that’s why all possible security measures should be taken.
Download XpoLog 7 free and discover suspicious events automatically!Boom > http://bit.ly/2XGJOJV,
Windows Server Reports
There should be a robust security monitoring process in place.
This type of monitoring keeps an eye on who or what’s logging into a Windows server and when, and if those log in events look suspicious or out of normal.
This not only helps catch potential threats early, but it also provides a trail to follow when a breach happens.
Windows Reports – What to look for?
As a security conscious administrator, you want to keep an eye on a number of events such as:
- Successful or failed login attempts to the Windows network, domain controller or member servers.
- Successful or failed attempts of remote desktop sessions.
- Password lockouts after repeated login attempts.
- Successful or failed login attempts outside business hours.
- Adding, deleting or modifying local or domain user accounts or groups.
- Adding users to privileged local or active directory groups.
- Clearing event logs in domain controllers or member servers.
- Changing local audit policies and group policies.
- Changing or disabling Windows firewall or firewall rules.
- Adding new services, stopping or deleting existing services.
- Changing registry settings.
- Changing critical files or directories.
In this tutorial, we will talk about enabling some important security audits in Windows servers to help catch possible threats.
After reading this tutorial: you will have enough information to boost your Windows servers security level and workstation fleet and protecting them against malicious activities!
Read the full article here > https://www.xplg.com/windows-servers-security-suspicious-activities/
42 Critical Security Events To Follow
There are some critical security-related events you should include in your audit views and regular searches.
We have compiled a list of these event IDs and their descriptions in this helpful “cheat sheet". You can access the list from the article on our blog as well.