The Windows Security event log provides administrators with an in-depth understanding of the system’s activities, including potential security concerns. When certain events occur within a server or workstations operating system, Event Viewer logs these events for further review.
For instance, it can log a variety of situations:
- Security-related activities (for example, failed login attempts)
- System or application warnings and errors
- Informational events (for example, start-up or shut-down of a program)
Before configuring the security log collection, it’s crucial to understand the event ID system and its classification. They’re categorised into five types:
- Error: A vital operation that could compromise functionality was unable to be performed.
- Warning: An occurrence that isn’t necessarily detrimental but could lead to an error.
- Information: Successful operation or a significant event.
- Success Audit: An audited security access attempt that was successful.
- Failure Audit: An audited security access attempt that failed.
Configuration of Windows Security Event Collections
There are several methods of configuring Windows Security event collections. For demonstration, let’s discuss how to use Group Policy and the Event Viewer.
Using Group Policy
A common method of configuring Windows Security is by using Group Policy. The Group Policy Management Console (GPMC) provides an intuitive interface to manage and apply Group Policies.
Please follow these steps:
- Begin by opening the Group Policy Management Console.
- Create a new Group Policy Object (GPO) or choose an existing one.
- Navigate to “Computer Configuration” > “Windows Settings” > “Security Settings” > “Advanced Audit Policy Configuration” > “Audit Policies”.
- Here, you can configure various security settings. For example, to silently monitor login attempts, select “Logon/Logoff” > “Audit Logon”.
- Enable “Success” or “Failure” based on your preference. “Success” logs successful login attempts, while “Failure” notes unsuccessful tries.
- Finally, apply this GPO to the Organizational Unit (OU) or Domain that contains the computers whose logs you want to monitor.
Using Event Viewer
Event Viewer can be utilised to create custom views and subscriptions for centralised logging, providing an efficient way for security incident detection.
Follow these steps:
- Start by opening Event Viewer.
- Navigate to “Event Viewer (Local)” > “Windows Logs”.
- Right-click “Security”. Choose “Properties” from the pop-up menu.
- Use the settings here to configure log size, overwriting settings, and log access. For instance, you can choose to overwrite events as required, which will delete the oldest events first when the log reaches its maximum size.
- Finally, apply and OK to implement the changes.
Summarising Key Points
Proper configuration of Windows Security event collections requires an understanding of the event ID system and the know-how to use Group Policy and Event Viewer. Keep in mind that every network environment is unique, so the specific settings will depend on your organisation’s needs.
Nailing these configurations is an integral part of the SC-200 Microsoft Security Operations Analyst Certification exam. Therefore, practice, test, and tweak these settings to maximise the utility of your Windows servers and client machines.
Practice Test
True or False: Windows event forwarding supports both subscription and collection of events.
- True
- False
Answer: True.
Explanation: The Windows event forwarding model supports a subscription mechanism, allowing centralized collection of events.
Which of the following can be used for configuring Windows Security event collection? (Multiple select)
- A. Group Policy
- B. Local Policy
- C. Active Directory
- D. PowerShell
Answer: A,B,D.
Explanation: Group Policy, Local Policy, and PowerShell can all be used to configure Windows Security event collection.
True or False: Event Collection can only be configured on the local machine.
- True
- False
Answer: False.
Explanation: Windows Security event collection can be configured either locally or through the use of Group policy settings at a domain level.
What is the primary requirement for Source Computers for event collection to occur? (Single select)
- A. They should be part of a workgroup.
- B. They should be standalone computers.
- C. They should be a part of the domain.
- D. None of the above.
Answer: C. They should be a part of the domain.
Explanation: Source computers should be part of a domain to facilitate Windows Security event collection.
Which of the following are prerequisites for configuring the Windows Event Forwarding? (Multiple select)
- A. WEF Server
- B. Certificates
- C. Source Initiated Event Forwarding
- D. Collector machine
Answer: A, B, D.
Explanation: To configure Windows Event Forwarding, a WEF Server, certificates, and a collector machine are necessary.
True or False: The event collection process can be viewed in the “Application and Service Logs” in Event Viewer.
- True
- False
Answer: True.
Explanation: The status of the event collection process can be viewed under ‘Application and Service Logs’ in the Event Viewer.
The Windows Event Collector service runs under what account by default?
- A. Network Service Account
- B. Local system account
- C. Administrator account
- D. Local service account
Answer: B. Local system account.
Explanation: The Windows Event Collector service, by default, runs under the Local System account.
True or False: You can not monitor incoming events in real-time by using Subscriptions.
- True
- False
Answer: False.
Explanation: Event Viewer allows to create subscriptions and thus, real-time monitoring of incoming events is possible.
For event collection, Microsoft recommends using which delivery optimization option?
- A. Normal
- B. Minimize Bandwidth
- C. Minimize Latency
- D. Custom
Answer: C. Minimize Latency.
Explanation: Microsoft’s best practice for security event collection is to use the “Minimize Latency” delivery optimization.
True or False: Even if the Windows Event Log service is paused or stopped, the Windows Event Collector can still collect events.
- True
- False
Answer: False.
Explanation: The Windows Event Collector relies on the Windows Event Log service. If this service is paused or stopped, the Windows Event Collector will be unable to function properly.
Which subscription type can support computers running Windows XP and Windows Server 2003 as Source Computers?
- A. Collector Initiated Subscriptions
- B. Source Initiated Subscriptions
- C. None of the above
- D. Both A and B
Answer: A. Collector Initiated Subscriptions
Explanation: Collector Initiated Subscriptions support backward compatibility and thus, are suitable for computers running Windows XP and Windows Server 2003 as Source Computers.
Event collection configuration for Windows event forwarding can be implemented via which command-line tool?
- A. CMD
- B. PowerShell
- C. Each of the above
- D. None of the above
Answer: B. PowerShell
Explanation: PowerShell is a recommended command-line tool useful for event collection configuration in Windows event forwarding.
True or False: To set up event settings, you can either open Event Viewer or select “Computer Management” from System Tools.
- True
- False
Answer: True.
Explanation: Both Event Viewer and Computer Management can be used to set up event settings.
What does the “-Credential” parameter represent in PowerShell while configuring Windows Security event collection?
- A. The user credential which the PowerShell script should run under
- B. The credential used to authenticate the source computer
- C. The credential of the person performing the event
- D. The credentials of the system administrator
Answer: A. The users credential which the PowerShell script should run under.
Explanation: “-Credential” parameter in PowerShell is used to specify the user credential under which the script should run.
True or False: The “MaxTime” query in an event subscription specifies the maximum amount of time an event can remain in the forwarder’s queue.
- True
- False
Answer: True.
Explanation: The “MaxTime” query specifies the maximum amount of time an event will be kept in the forwarder’s queue before being deleted if it can’t be delivered to the collector.
Interview Questions
What is Windows Security Event collection?
Windows Security Event collection is a service that enables administrators to collect events from remote computers and transfer them to a central console on a computer running Windows Server, thus aiding in the managing and monitoring of security-related events.
Which tool in Windows can be used to view Security Events?
The tool used to view Security Events in Windows is the Event Viewer.
How can Administrators filter Security Events in Windows?
Administrators can filter Security Events in Windows by using the Filter Current Log dialog box within the Event Viewer.
Which subscription type is typically used for a high event delivery rate in Windows Event Collection?
The subscription type typically used for a high event delivery rate in Windows Event Collection is “Source Initiated” subscription.
How can an administrator initiate a connection for event collection in Windows?
An administrator can initiate a connection for event collection in Windows by specifying the event sources with the fully qualified domain name (FQDN), NetBIOS name, or IP address of the source computers.
What is the purpose of Windows Event Collector Service?
The purpose of the Windows Event Collector Service is to retrieve events from remote computers and store them in the local Event log.
What is the main protocol used by Windows Event Collection?
The main protocol used by Windows Event Collection is WS-Management protocol.
What is the purpose of the Windows Remote Management service in Windows Security Event Collection?
The Windows Remote Management service enables administrators to remotely execute management scripts on Windows-based computers, allowing for remote event collection.
What is the purpose of the Wevtutil command-line tool in the context of Windows Security Event Collection?
The Wevtutil command-line tool allows administrators to retrieve information about event logs and publishers, install and uninstall event manifests, run queries, and export, archive, and remove logs.
How can one verify if the Windows Event Collector service is running?
One can verify if the Windows Event Collector service is running by typing “services.msc” in the Run command, which pulls up a list of services. Windows Event Collector service should be listed as running in this list.
What are the security implications if the Windows Event Collector service is disabled?
If the Windows Event Collector service is disabled, the system may not be able to detect, log or inform administrators about critical security events or issues. This could potentially leave the system vulnerable to security threats.
How can you set up the collector computer within the Windows Event Collection system?
You can set up the collector computer within the Windows Event Collection system by enabling the Windows Remote Management service, configuring the Windows Event Collector service to start automatically, and creating a Windows Event Collection subscription.
In Windows Event Collection, what is the difference between “Collector initiated” and “Source initiated” subscriptions?
“Collector initiated” subscriptions are where the collector system configures the source systems to forward events, whereas in “Source initiated” subscriptions, the source systems are preconfigured to forward events to specific collectors.
How do you define which events the source computers forward in a subscription?
Which events the source computers forward in a subscription can be defined through an XPath query within the subscription properties.
Why is it important to configure both the Windows Event Collector service and the Windows Remote Management service for Windows Event Collection?
It’s important to configure both the Windows Event Collector service and the Windows Remote Management service for Windows Event Collection to establish a secure and effective communication and management link between the source and the collector. They work together to ensure appropriate event forwarding and collection.