Fun Fact: Most types of network and computer compromises could have been discovered much sooner if the organization had enabled proper event log monitoring using an appropriate server monitoring solution that alerted them to the issue. Without such a software application or not taking the time to configure it correctly, it takes much longer to uncover the compromise if it is ever discovered at all.
Fun Fact #2: According to the 2012 Verizon Data Breach report, 84% of all data breaches had left some form of evidence in the event logs, prior to the actual data breach occurring.1 Simply put, had these organizations taken the time to implement better Active Directory security best practices that included reviewing event logs for unusual activity, there is a high likelihood they could have prevented the data breach from occurring in the first place.
How Can I Monitor Event Logs for My Servers and Computers?
There are various options and methods that can be used. Some organizations use Windows Audit Policies and manually configure every audit category to record events in the event log as they occur. They also use built-in features of Windows for account management, account logon, detailed process tracking, directory service access, and other such audits.
However, one of the challenges when using the built-in auditing features of Windows is you must have a decent understanding of computer programming. You also need to know where Windows stores event logs and how to access them to review them.
A much better solution is to use a server monitoring service application like PA Server Monitor. This application makes it easy to configure Windows Audit Policies from within the app without requiring any advanced computer programming skills.
You can also build custom reports to access event logs and review events quickly and easily. Additionally, you can even configure alerts, create Action List of actions to carry out, and more, all from within the server monitoring app.
For example, you can create an Action List that monitors for signs of compromise in the event logs. Should something be detected, you can create a list of actions to be carried out immediately, such as sending an email alert to the appropriate person, blocking access to the suspected server, or locking a user’s account access.
You can even configure PA Server Monitor to detect changes in user accounts that could identify potential intruders attempting to breach your data. Typical things you want to look for regarding user accounts include:
- An excessive amount of newly created accounts with full permissions.
- An excessive amount of recently deactivated accounts.
- Accounts that have been modified with changes to permissions.
- Reactivated accounts that were previously disabled.
Continuous monitoring of these types of changes to user accounts, along with event log events can help you find and spot potential breaches before they occur.
To learn more about PA Server Monitor and our other types of server monitoring solutions, please feel free to contact Power Admin at 1-800-401-2339 today! We offer a free, full-functioning 30-day trial of the best server monitoring software to help you improve your Active Directory security best practices.