3 Best and Worst Features in the new Windows Server 2008 Security Log

Welcome to 2008!

As you know, MS has completely redesigned the Security Log in Windows Server 2008.  Some of it’s great; some of  it’s horrible.

In this quick email I’ll show you the best and worst 3 aspects of the new security log but I will share much more in this month’s security log webinar.  Please register now.  If you can make the live event we’ll send you a link to the recorded session within 3 days.

Registering now is the only way to watch the recorded version.

 

Space is limited.
Reserve your Webinar seat now at:
https://www1.gotomeeting.com/register/132795326
 

Title:   The All New Windows Server 2008 Security Log
Date:  Thursday, January 17, 2008

Time:  12:00 PM - 1:00 PM EDT

 

Best Features:

1.       Event forwarding

While far from a replacement for centralized event log management, you can now configure one Windows server to collect events from other computers.  And thankfully can specify exactly which events you want forwarded from the source computer to the collector so that you don’t bog things down with noise.  Better yet, you can configure all this from inside EventViewer – no coding.  Still better, you can configure forwarding via group policy so that as you add new computers to the domain they automatically start sending the right events to the right collector.

2.       Improved EventViewer

The new EventViewer MMC snap-in has much improved capability for analyzing events especially in the area of filtering.  It used to drive me nuts that you couldn’t filter on multiple events.  Now you can.  You can specify things link “560,528-535” which translates to “show events 560 and all events between 528 and 535.

 

3.       Better information in events

Many of the events in the security log now provide those crucial details we’ve always wanted.  For instance, Directory Services Changes category events show you the new value of each property audited on AD objects.  Also, there are new events dedicated to documenting ACL changes on files and other objects and guess what?  They actually show you the before and after versions of the ACLs instead of just saying the ACL changed.  Yahoo!

<rant>

Worst Features:

1.       No support for setting audit subcategory policies with group policy!

I think I’ve harped on this before but it deserves attention.  This is something MS has got to fix in SP1.  You can still configure auditing  via group policy at the top level category but that won’t work in the real world because there are so many new sub categories that generate massive amounts of noise.  To eliminate the worst offenders you have to enable/disable auditing at the subcategory level.  But the only way to configure subcategory auditing is with a command line tool – auditpol.  In this month’s webinar I’ll share some scripts I’m developing to deal with this problem.  Yuck!

 

2.       Failed attempt at reducing the noise

Well, through the introduction of subcategory audit policy MS hoped to make audit policy more granular and help you cut out the noise.  Here’s why that didn’t work.  Noise can’t be defined on a simple Event ID basis.  Some event ID 4624s are noise; some aren’t.  It depends on data elements within the description.  The only way to really address this problem is for MS to understand what noise is in the first place and develop features that address the real problem.

 

3.       Method used for renumbering legacy events

OK, I think it was a good idea to renumber all the events in Windows Server 2008 because all the description fields changed too so we don’t want programs written for 2000 and 2003 incorrectly parsing events with the same number but generated by 2008.  But here’s what MS did: they added 4096 to all the existing events. Why couldn’t they have picked a better number like 1000?  It would have made it so much easier for those of us that know our event IDs by heart (I’m talking about you Soya J ) to just mentally convert 528 to 1528.  Anyway…

</rant>

There’s some of the good, bad and ugly but this is the tip of the iceberg though.  Later this month I’ll demonstrate the security log end EventViewer to you live.  Register now for “The All New Windows Server 2008 Security Log”

______________________________________________________________________________

 

All of Randys webinars and more are available online! Click here

Here are some coupon codes you can use! They expire in 7 days though, so don't let this opportunity pass you by.

Edition          Coupon code           Savings
Bronze                QRB                    $10

Silver                  QRS                     $25

Gold                   QRG                    $50

 

________________________________________________________________________________

 

To foward this to a friend please click here

 

http://www.ultimatewindowssecurity.com/enews/members.aspx?Task=FF&SI=12379&E=security.world%40gmail.com&S=1&N=32&Format=HTML

 

To opt out please click here

 

http://www.ultimatewindowssecurity.com/enews/members.aspx?Task=OO&SI=12379&E=security.world%40gmail.com&S=1

________________________________________________________________________________

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

 

You may forward this email in its entirety but all other rights reserved.