Best Practices for Monitoring Windows Logins

 

Enterprise network administrators usually implement some security and access control measures over standard user accounts, but may neglect service accounts, which become vulnerable targets.

 

As proof against threats from malicious users inside or outside the enterprise – and to comply with regulatory authorities – it’s essential to keep a close eye on what’s happening in your Windows environment by monitoring and auditing user activities over your Windows Server-based network. This guide should help.

What Windows Lacks

Of the major operating systems, Windows provides the biggest set of security features. But Netware, UNIX and even the mainframe have the edge, when it comes to basic login session controls. When a Windows user logs on, there isn’t even a display of their previous logon time.

 

In the Windows environment, monitoring of logon sessions, reporting of logons and logoffs, and control of concurrent logins are all absent, as is the remote logoff of sessions on workstations.

 

Group-defined restrictions of workstations and logon times are also missing, as are enforceable logoffs when allocated logon times have expired.

 

Depending on your audit settings, the information recorded by Windows may be dense, cryptic, and poorly documented.

Success or Failure?microsoftlogin_login

Monitoring logon events is useful not only for failed attempts to gain access, which may indicate malicious attempts to infiltrate your system.

 

Logon attempts which succeed can yield valuable information too – and can help ensure the continued health of your network infrastructure.

Knowing Who’s Who 

Monitoring successful logon attempts provides information on the activities of your users, both in a business productivity sense, and from a security perspective.

 

Potentially abnormal events like a single user simultaneously requesting access to multiple resources, or users logging on outside normal working hours may be a red flag for suspicious activity worthy of further investigation.

 

Even the activities of privileged users like system administrators need to be monitored from a security standpoint, and for regulatory compliance.

 

A log management tool configured to collect user information according to rules and time frameworks that you establish beforehand can categorise user activity and manage logon events. The software should be capable of identifying privileged administrative users, and categorising their activities, accordingly.

 

Since user names in Windows don’t indicate group affiliations and may be time-dependent, it’s essential to use a log management tool capable of establishing a user’s privileges at the time that an event caused by their activities was logged.

The Price of Failure 

Mistyped passwords and unauthorised attempts to gain access to computers and network resources are at the opposite ends of the scale, when it comes to failed logons. Failed logons to a print server may indicate that your printer hardware or software is down. But there’s more to it, than that.

 

With service accounts – especially with services that don’t belong to authorised applications – failed logons may be an indication of malware.

 

When a service is authorised, or forms a part of your network infrastructure, failed service account logons may point to downtime issues.microsoftlogin_password

 

If computer accounts fail to log in, there may be underlying issues with network configuration, authentication protocols or IPSec policies. All have the potential to disrupt your operations.

 

Automated brute force attacks may be the real cause behind a large number of failed logon attempts recorded in a short time period. If your account lockout protocols aren’t strong enough, this could have dire consequences.

Setting Your Audit Policy

Your Windows audit policy establishes the type and number of events that are to be monitored and logged. So you’ll need to establish which configuration will best give all the information you’re looking for.

 

The Audit account logon events policy instructs your system to record security events each time a user account’s logon or logoff is validated on different machines where this policy has been configured. Audit account logon events is best used to monitor the activities of users on a particular machine.

 

The Audit logon events policy records data in the Logon/Logoff category of any machine on which you wish to monitor access, logging security events each time a user logs onto the machine.

Monitoring Workgroups 

Each computer in a Windows workgroup acts as a standalone machine, with its local security database taking precedence. NTLM authentication is typically used, so logon events need only be monitored on that local machine. These are stored in the machine’s security log.

 

For logon activity monitoring in Windows workgroups, you should enable the Audit logon events category on each machine in the workgroup, monitoring their security logs for events that fall in this category.

Monitoring Domains microsoftlogin_security

In a Windows domain, a security database resides at the domain level on your Domain Controller(s), providing a hierarchy which centrally manages all the machines.

 

Domain user accounts may be given access to machines within the domain, automatically becoming members of accounts local to users on the domain’s machines.

 

Kerberos is used to authenticate Windows domains, and service tickets and authentication tickets may be required to validate a user (and the machine the user connects from) to the Domain Controller.

 

You may need to monitor the Domain Controller security log to establish the activities of domain user accounts – including the local logons of the Domain Controller, itself. Events should be recorded in the Account logon category.

 

For events in the Logon/Logoff category, the member machine security log should be monitored, to follow the activities of user accounts local to the member machine. Local accounts that don’t map to a domain account should be watched closely.

Monitoring Strategically 

Set your security control criteria, and restrictions such as those based on time, location, or prohibiting concurrent sessions.

Monitor and log all login and session events across terminals, workstations, Internet Information Services (IIS), Wi-Fi and VPN.

Be able to determine who’s connected, which system they’re using, when they connect, and how long for.

Be prepared to generate reports – both to give an overview of your users’ activity, and drilling down to particular time-frames.

 

Kerry is a published author and writer on all things tech, corporate tech, data centres, SEO, webdesign & more for some of the world’s leading sites.


Posted

in

,

by

Tags: