How to streamline Windows monitoring for better security

If you’re responsible for a significant number of Windows servers, you already understand the importance of being aware of the health and security of your environment. Unfortunately, you’re probably also aware of the tremendous amount of effort and resources required to monitor your Windows environment.

Let’s take a look into why and how you should be closely monitoring your Windows server environments from a security perspective. We’ll investigate the types of logs, events and other actions that you should consider. Finally, we’ll look at how you centralize monitoring into a primary dashboard, and automate many of the tedious aspects of Windows security monitoring.

Why monitor Windows Security?

We’re all painfully aware of the consequences of a security failure within our infrastructure. Data breaches, disruptive attacks and other security threats are frequent occurrences, and while the results can be catastrophic, they often begin with minor, tell-tale signs. Monitoring your Windows environment and knowing what to look for are critical components of a comprehensive and successful security plan.

In addition to understanding the importance of monitoring, it’s also critical to know what types of metrics, events and logs you should monitor and why. Windows systems manage access through user accounts and group membership. Comprehensive monitoring includes viewing changes to user accounts and group membership.

Windows systems also monitor events within the systems, including successful and unsuccessful login attempts. The system also creates and maintains logs that contain information related to authentication and updates to the system configuration, applications and system errors.

Identifying the right metrics to monitor

Now that we know why monitoring is essential and have an idea of the types of things we should watch, let’s take a deeper dive into specific items that require your attention.

Accounts and access events

You need to be aware of updates to the user accounts on your systems. Monitoring includes new accounts created, accounts disabled, and changes to passwords, including account lockouts. You also want to monitor the user groups on the system, looking for creation and modification events and changes to the group membership. Privilege escalation and modification are vital to watch, as this is a favorite way for those with evil intent to expand their level of access. Role-based access controls can help.

Windows logging

The Windows operating system generates a plethora of information in the form of logs. You want to keep a close eye on Windows event logs that include clearing audit logs, as hackers erase their tracks. You also want to pay attention to error logging and account access logs. Finally, you must ensure your security logs never exceed the storage capacity, preventing the system from recording all events and leaving you in the dark about what has happened in the system.

Application and registry changes

The Windows Registry is a database that contains all the low-level configurations for your system. The registry may also be used as an essential source of information about which applications are installed, including malware. Tracking changes to the registry and ensuring that it matches what you expect to observe is vital for security monitoring.

Windows performance metrics

We didn’t mention this above, but monitoring the system’s health is vitally important— specifically disk activity, network throughput, memory usage, and CPU usage. CPU time, network activity, and memory usage are also helpful when considering the processes and applications that use each system resource. Understanding the usage requirements and resources allocations for each of your applications and processes is also essential.

Automating to solve the problem of scale

Knowing which metrics, logs and events you need to track is half the battle; the other half involves managing this level of monitoring at scale. Especially if you’re supporting an organization with Windows servers deployed on one of the large public clouds. You might be responsible for monitoring hundreds, if not thousands, of systems concurrently. If this is the case, then manual monitoring is prohibitive due to resource constraints, and there is a high likelihood of your missing critical events.

Automation is one essential part of the solution to this problem. Ideally, you’d install a collector on each server that collects logs, events, and other vital metrics from the host system. This collector then forwards all this information to a central location, which aggregates all the logs and events, executes anomaly and error detection routines, and displays summary information for your support teams to review.

It may be possible to construct such a system yourself. Still, you can save your organization from making a significant investment (and yourself from some severe headaches) by partnering with Sumo Logic. We’ve spent years researching, developing, and perfecting a Windows monitoring solution. Let’s walk through the steps to follow to bring your Windows servers onboard.

Sumo Logic provides dashboards to better manage and maintain your Windows environments

Installing the Windows Collector

The Sumo Logic Windows Collector has support for Windows 7 through 10, and Windows Server 2012 through Server 2019. Check out the official documentation for a detailed description of system requirements and more comprehensive installation instructions. The collector comes with a UI installation tool or a command-line installer. The command-line installer provides more access to the most advanced features.

Manually installing the collector will be the best approach if you’re testing this out on a few machines, but it isn’t sustainable for large and dynamic systems with many servers. In the case of expansive ecosystems, you may consider adding the collector to the base or foundational machine image you use for all new builds and deployments.

Each collector in the ecosystem needs an authentication token or an access key to ensure that only collectors associated with your account are reporting their metrics. After the installation is complete, you’ll need to configure the collector to gather metrics and information from local sources on the machine. The configuration can be set using an encoded JSON file to simplify the process. Local sources can include system metrics, log files, and other local Windows event sources on the host system or remote event log sources.

Preconfigured dashboards with the Windows App

Once you’ve installed, authenticated and configured the collectors on your Windows services, you can log in to your SumoLogic account to view the collected logs, events, and other metrics in a preconfigured dashboard. The data from each collector should be viewable if you navigate to Manage Data > Collection > Collection. Once you’ve validated that the collectors are connected to your account and gathering data, installing the preconfigured dashboard is next.

Within your account, navigate to the App Catalog. SumoLogic offers a couple of different Windows applications. The Windows JSON App contains dashboards and analytics for Windows Security, System and Applications. Select the App to install it, specifying the data source for the App, and any custom data filters. The data filters allow you to limit the scope of the application to the Windows installations you’re most interested in viewing and analyzing.

You can learn more about this Windows App here, including screenshots and best practices for understanding and interpreting the results displayed. A helpful dashboard from a security perspective is in the Login Status. This dashboard lets you keep track of failed and successful login attempts, as well as remote desktop sessions and geographical disbursement of login attempts.

Windows - Login Status Dashboard

Additional dashboards allow you to observe error reporting, application and performance metrics, and changes to groups and policies. Each of these provides unique insights to help you better manage the security of your Windows servers.

Learning More
If you learn better by playing with new technologies and seeing what you can get them to do, you can sign up for a free trial of SumoLogic, and experiment with collecting, analyzing, and reporting on metrics from your Windows Services. In addition to the free trial, you also have access to a comprehensive support portal that includes documentation, an active user community, and a knowledge base.

Read our ultimate guide to Windows event logging.