1
00:00:02,300 --> 00:00:09,370
Let's now move on to detecting threats or current operating systems come with pre-installed tools and

2
00:00:09,370 --> 00:00:16,300
mechanisms that audit the activity of system users the Windows systems keep track of security related

3
00:00:16,300 --> 00:00:18,120
events in the security log.

4
00:00:20,270 --> 00:00:25,660
The security log is disabled by default in older versions of Windows.

5
00:00:25,670 --> 00:00:31,400
This means that the log doesn't record any events until we enable it manually.

6
00:00:31,420 --> 00:00:36,460
This has changed with the release of Windows 7.

7
00:00:36,500 --> 00:00:39,130
Of course it's always been different for server systems.

8
00:00:41,090 --> 00:00:50,100
What clusters of events can be found in a security log records are divided into several categories each

9
00:00:50,100 --> 00:00:57,330
category record reports on whether a specific attack has been successful success or not failure.

10
00:00:59,340 --> 00:01:02,640
Auditing Object Access is the first of these categories.

11
00:01:04,070 --> 00:01:08,720
Enabling this value generates a significant increase in the number of security log entries.

12
00:01:11,220 --> 00:01:16,330
Several hundred megabytes of audit data maybe usually generated for a day's work of a device.

13
00:01:17,200 --> 00:01:26,120
For example for a PC or even for a network printer the object access category includes all operations

14
00:01:26,120 --> 00:01:35,470
on objects an object can be a file or a folder or a printed document and attempt to read a file will

15
00:01:35,470 --> 00:01:36,690
also be logged.

16
00:01:38,480 --> 00:01:42,720
The second category is directory service access.

17
00:01:42,770 --> 00:01:48,590
Once this is enabled the security log will record all successful or failed attempts to read modify data

18
00:01:48,590 --> 00:01:50,890
stored in the Active Directory database.

19
00:01:53,420 --> 00:02:02,180
Third is auditing process tracking which is usually disabled when this category is set to auditing each

20
00:02:02,180 --> 00:02:04,820
operation will come up in the log multiple times.

21
00:02:08,130 --> 00:02:12,410
As far as security is concerned this level of specificity is not required.

22
00:02:14,310 --> 00:02:21,260
Enabling privilege use audit is crucially important though all instances of a user exercising or attempting

23
00:02:21,260 --> 00:02:23,470
to exercise user rights will be logged.

24
00:02:24,520 --> 00:02:30,550
Which means for example that when an administrator takes over a file or folder this event will be reported

25
00:02:30,550 --> 00:02:34,930
in the log.

26
00:02:35,060 --> 00:02:41,090
If we truly prioritize security auditing account management is another category which should be enabled

27
00:02:41,090 --> 00:02:45,320
in all environments.

28
00:02:45,400 --> 00:02:52,180
Once this value is checked the log will record all events relating to creating modifying and deleting

29
00:02:52,180 --> 00:02:54,070
user accounts and user groups.

30
00:02:57,650 --> 00:03:02,290
On events are usually only monitored in critical servers.

31
00:03:02,400 --> 00:03:06,220
In most cases log on to workstations are not hugely relevant.

32
00:03:08,360 --> 00:03:15,140
However a user stopping or server especially an active directory server is a significant event and should

33
00:03:15,140 --> 00:03:16,720
be recorded into the log.

34
00:03:18,470 --> 00:03:23,620
System Events sadit is disabled by default for most systems except for the most crucial servers.

35
00:03:25,560 --> 00:03:30,370
Policy change on the other hand is an audit category that should always be kept enabled.

36
00:03:34,110 --> 00:03:39,060
Only once it's enabled will we know if a change to our security policy configurations has been made

37
00:03:39,180 --> 00:03:40,440
or has been attempted.

38
00:03:43,060 --> 00:03:48,520
After enabling object access auditing we need to determine the types of objects to which the audit will

39
00:03:48,520 --> 00:03:49,380
apply.

40
00:03:51,610 --> 00:03:59,020
It's necessary also to specify the users that are to be monitored in this way in older versions of Windows.

41
00:03:59,020 --> 00:04:05,160
This is done per object usually per folder.

42
00:04:05,270 --> 00:04:07,590
You can see an example in the picture below.

43
00:04:09,960 --> 00:04:13,770
In newer Windows systems this audit can be enabled globally.