Fundamentals of Microsoft Windows Security Monitoring and Maintenance
The process of securing a Windows computer system and maintaining a secure system is an iterative process. There are three main points in a system’s life cycle that serve as milestones for security management. It is important to maintain a secure system when you:
Install the operating system or application software.
Monitor the operation of the computer system.
Make any configuration changes to the computer system.
The first and third milestones are easy events to identify, at least for small computing environments, and result from some administrative action. Organizations with more than several dozen servers and workstations find that all of the milestones can be challenging. As any organization grows, policies that result in configuration standards make the administration process easier. It is important to include security concerns in the installation and modification procedures to avoid introducing unintended vulnerabilities. For example, the procedure to upgrade to a new version of SQL Server should include steps to ensure insecure user accounts or demo procedures are not added to the system environment. It is also desirable to carry out validation tasks after any new installations or configuration changes to ensure system security meets stated goals. The second milestone occurs at intervals specified by security administrators for each system. Monitoring can be as frequent or infrequent as necessary. Typically, the monitoring frequency depends on the volatility of the resource and the risk of attacks against the resource.
Security Monitoring
In general, the process of security monitoring involves comparing performance or configuration information with a stated baseline. Microsoft offers several tools and resources to help create and maintain secure systems. The basic process of security monitoring is to follow these steps:
Define security goals
Describe secure behavior as a baseline
Sample performance information and compare with the baseline
Report anomalies
The tools and resources available for Windows operating systems include both the suggested baselines and the tools to compare baselines with system configuration and performance information. System configuration information could include user and group definitions, critical resource permissions, and lists of folders. Baseline information could include a list of known vulnerable users, groups, and folders. Any items in the lists of users, groups, or folders that exist in the baseline could indicate vulnerability. Performance information could include web server log files. SIEM tools automate the process of monitoring such log files, and could show attacks that have been carried out against your system. Or even better, you could see the evidence of a preattack reconnaissance effort. In the case of the latter example, you could use such information to take action to protect your system from an expected future attack.
Identify Vulnerabilities
The idea behind monitoring is to simply consider the current state of a system and help identify any existing security vulnerabilities. You are proactively taking a similar approach of what an attacker will do to plan an attack. Later in this book, you’ll learn about tools that will help you uncover vulnerabilities in your computing environment. After identifying vulnerabilities, you must decide how to address each one. It sounds simple, and it really is at its core. However, putting that goal into practice can be difficult. There are many options to address each vulnerability, and you have to choose the best option for each situation. The process isn’t a single occurrence of each step. Security monitoring and responding to the results is a process you’ll repeat over and over to keep your systems secure.