DEV Community


Posted on

How to Look for Suspicious Activities in Windows Servers

You are running a large production environment with many Windows servers.
There are multiple forests in the network and some forests have multiple domain controllers.

Your Windows server security is paramount – you want to track and audit suspicious activities and view detailed Windows reports extracted from the Windows servers event logs.

Read the article, with images and design here >

Looking for suspicious activities in Windows is important for many reasons:

  • There are more virus and malware for Windows than Linux.
  • People often leave their remote desktop sessions running when they disconnect, making those sessions prime targets for unauthorized takeover.
  • Service accounts are often made domain administrators circumvent access issues.
  • Known passwords of service accounts become open backdoors for hackers.
  • Antivirus and local firewalls are sometimes disabled to get acceptable application performance.
  • Patching cycles are missed or sometimes altogether ignored, making Windows systems vulnerable to potential attacks.

Bottom line: Prevention is better than cure, that’s why all possible security measures should be taken.

Download XpoLog 7 free and discover suspicious events automatically!Boom >,

Windows Server Reports
There should be a robust security monitoring process in place.

This type of monitoring keeps an eye on who or what’s logging into a Windows server and when, and if those log in events look suspicious or out of normal.

This not only helps catch potential threats early, but it also provides a trail to follow when a breach happens.

Windows Reports – What to look for?
As a security conscious administrator, you want to keep an eye on a number of events such as:

  • Successful or failed login attempts to the Windows network, domain controller or member servers.
  • Successful or failed attempts of remote desktop sessions.
  • Password lockouts after repeated login attempts.
  • Successful or failed login attempts outside business hours.
  • Adding, deleting or modifying local or domain user accounts or groups.
  • Adding users to privileged local or active directory groups.
  • Clearing event logs in domain controllers or member servers.
  • Changing local audit policies and group policies.
  • Changing or disabling Windows firewall or firewall rules.
  • Adding new services, stopping or deleting existing services.
  • Changing registry settings.
  • Changing critical files or directories.

In this tutorial, we will talk about enabling some important security audits in Windows servers to help catch possible threats.

After reading this tutorial: you will have enough information to boost your Windows servers security level and workstation fleet and protecting them against malicious activities!

Read the full article here >

42 Critical Security Events To Follow
There are some critical security-related events you should include in your audit views and regular searches.

We have compiled a list of these event IDs and their descriptions in this helpful “cheat sheet". You can access the list from the article on our blog as well.

Discussion (1)

xpolog profile image
XpoLog Author

We apologize that we had to send you to our blog, the article can't be read on that platform as all images and design are gone and it is much more difficult.