Rule 9: Detection and Notifications

What can you expect from this document:

This document covers some basic security best practices that, if combined with other security measures, will help to increase the overall security of your system.

What is the threat?

It is important to detect potential security issues, such as operational anomalies and security events, as soon as possible. An attacker who manages to compromise a server can do severe damage to both the integrity of the system, and to the confidentiality and availability of your data. These are only a few examples of potential damage:

  • Attackers can distribute malware or illegal software using your server.
  • Your server can be used for attacking other systems, therefore legal implications might point to you as the operator and administrator of the server.
  • Attackers can steal and sell customer data stored on the system.

Recommended tasks and useful hints:

1. Understand and monitor your Security Log entries
Microsoft provides an overview and description of the Security Events in Windows Server 2012 here. Carefully monitoring these events will help you detect any anomalies on time.

2. Understand and monitor your firewall log
Microsoft provides helpful documentation on how to monitor Windows firewall and view the firewall logs. These will give you information on the nature of the traffic crossing the firewall.

3. Monitor Events
A list of security events advisable to monitor is available here. In addition, the NSA offers a helpful guide on how to detect potential threats in your logfile.

4. Get Notified by E-Mail
Unfortunately, the E-Mail notification feature in Windows 2012R2 is deprecated. However, this can be implemented in PowerShell.

How to configure notifications for an event:
Let’s assume you want to get notified each time a user account is created. In the security log, the ID indicating the creation of a user account is 4720. Before starting the configuration process, you have to create a local user yourself.

  1. Filter the security log to find the relevant ID (in our case 4720). To do so, run the following command in PowerShell:

    Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720}

    Click on the the Local Security Policy menu entry

  2. Filter the log to select the needed attributes:

    Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720} | Select TimeCreated,@{n=”Account Creator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”User Account”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name –eq “SamAccountName”}| %{$_.’#text’}}}
  3. Create the following script to provide the e-mail notification functionality:

    $Subject = “User account created” # Message Subject
    $Server = “your.smtp.server” # SMTP Server
    $From = “” # From whom we are sending an e-mail
    $To = “” # To whom we are sending
    $Pwd = ConvertTo-SecureString “password” -AsPlainText -Force #Sender account password (Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted)
    $Cred = New-Object System.Management.Automation.PSCredential(“accountname” , $Pwd) #Sender account credentials
    $encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display
    #Powershell command for filtering the security log about created user account event  
    $Body=Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720} | Select TimeCreated,@{n=”Account creator”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SubjectUserName”} |%{$_.’#text’}}},@{n=”User Account”;e={([xml]$_.ToXml()).Event.EventData.Data | ? {$_.Name -eq “SamAccountName”}| %{$_.’#text’}}} | select-object -first 1
    #Sending an e-mail.
    Send-MailMessage -From $From -To $To -SmtpServer $Server -Body “$Body” -Subject $Subject -Credential $Cred -Encoding $encoding
  4. Edit the following values to your needs:

    "password” -As...

    Important: As such emails contain sensitive log data, they should be sent via a secure channel, at least SMTP with TLS.

  5. Save the script as email-notification.ps1
  6. This script has to be triggered after each account creation. To do so, open the Task Scheduler, create a new schedule and give it a name. Then go to the Triggers tab. In the Triggers tab, create a trigger with following options:

    1. Begin the task on an event
    2. Log – security
    3. Source – Blank
    4. EventID – 4720
  7. To verify if notifications are sent correctly: Create a test account and check if you receive an e-mail notification.
  8. At the end, make sure to delete the test users.

Additional Recommendations:

You can add notification events for several security events. A list of Security events is available here. Also consider enabling the Advanced Auditing.

A good starting point for monitoring logs for security breaches can be found here.

Additional gudelines on how to respond to security incidents is available here.

Additional Information on monitoring and detecting security incidents:

The contribution provided by Microsoft is intended to serve general information purposes and the content is AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness or reliability. The information is provided without any warranty of fitness for a particular purpose. The information is compiled with the necessary care, however no liability is assumed in this respect, in particular with regard to the absence of errors, topicality with regard to the specific state of knowledge or use as the basis for the responsible decisions of the user.

Content provided by 1&1


Tags: Windows