VBScript for server security monitoring?

TheMSsForum.com: The Microsoft Software Forum

Hi all-

First of all, sorry for the multiple cross-posts; I tried to pick out
germane groups to post to, so sorry-in-advance if it's not appropriate.

Anway, getting down to business:

As one of three AD administrators for a campus of more than 50000 users, I'm
a little strapped for time. However, one of the major things that needs
paying attention to is security on servers -- especially domain controllers
(the recent RPC exploit madness just reiterated that fact).

What I'm wondering is what tools have other network admins [yes, you!] have
used -- via VBScript and WMI -- to automate the process of security
auditing.

Ideally, I would have a vbscript that fires off once every fifteen minutes,
looks for weirdness (ie, >400 failed log in attempts from the same
workstation or for the same username) in the the logs of a list of
computers, then output the results to a file, and, if weirdness was found,
email a short text message to my phone. Is this even possible?!?!

Thanks in advance,

chris.

----------------------------------------------
Christopher Gautam Hota
Information and Media Technologies
University of Wisconsin - Milwaukee
(414) 229-3186 office
(414) 840-4682 cell
----------------------------------------------
Top

Re: VBScript for server security monitoring? by Larry

Larry
Sat Aug 09 03:35:14 CDT 2003

"Christopher Hota" <cghota@uwm.edu> wrote in message
> Hi all-
>
> First of all, sorry for the multiple cross-posts; I tried to pick out
> germane groups to post to, so sorry-in-advance if it's not appropriate.
>
> Anway, getting down to business:
>
> As one of three AD administrators for a campus of more than 50000 users, I'm
> a little strapped for time. However, one of the major things that needs
> paying attention to is security on servers -- especially domain controllers
> (the recent RPC exploit madness just reiterated that fact).
>
> What I'm wondering is what tools have other network admins [yes, you!] have
> used -- via VBScript and WMI -- to automate the process of security
> auditing.
>
> Ideally, I would have a vbscript that fires off once every fifteen minutes,
> looks for weirdness (ie, >400 failed log in attempts from the same
> workstation or for the same username) in the the logs of a list of
> computers, then output the results to a file, and, if weirdness was found,
> email a short text message to my phone. Is this even possible?!?!
>
> Thanks in advance,
>
> chris.


Have you looked through the Monitoring section here:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

LFS


Top

Re: VBScript for server security monitoring? by Roger

Roger
Sat Aug 09 11:22:49 CDT 2003

What you will encounter is that cross-correlating event msgs,
even a narrowly filtered set of them, from many machines is
a significant chunk of code (you did say in script); and, the load
you will be placing on the systems and network if you simply
pull the event records actively on schedule in not small.
Alternatively, you can set up WMI events on the systems of
concern so that they hoist the desired event log messages to
a central store, and then you only need to monitor central store
this rather than actively poll from the machines.

You might want to look at how this has been designed into the
MOM product. In my experience, with systems that have large
security logs, sending over WMI queries to get events matching
a where clause is not the way to go (WMI repository has no
benefit from indexing so this is a processor intensive full scan
of the event log).

When the Windows 2000 Server Operation Guide released it
was accompanied with a free GUI tool to filter into event logs
of multiple machine. You might want to pick up on this tool and
also institute a practice of event log archiving so that the size of
the live logs can be reduced.

If you continue the thread, please consider trimming the
newsgroups to public.windows.server.scripting
which I believe would be the correct one for your posting.

--
Roger Abell
MS MVP (Windows, Security)
MCDBA MCSE W2k+NT4

"Christopher Hota" <cghota@uwm.edu> wrote in message
news:Ofo5lrkXDHA.736@TK2MSFTNGP09.phx.gbl...
> Hi all-
>
> First of all, sorry for the multiple cross-posts; I tried to pick out
> germane groups to post to, so sorry-in-advance if it's not appropriate.
>
> Anway, getting down to business:
>
> As one of three AD administrators for a campus of more than 50000 users,
I'm
> a little strapped for time. However, one of the major things that needs
> paying attention to is security on servers -- especially domain
controllers
> (the recent RPC exploit madness just reiterated that fact).
>
> What I'm wondering is what tools have other network admins [yes, you!]
have
> used -- via VBScript and WMI -- to automate the process of security
> auditing.
>
> Ideally, I would have a vbscript that fires off once every fifteen
minutes,
> looks for weirdness (ie, >400 failed log in attempts from the same
> workstation or for the same username) in the the logs of a list of
> computers, then output the results to a file, and, if weirdness was found,
> email a short text message to my phone. Is this even possible?!?!
>
> Thanks in advance,
>
> chris.
>
> ----------------------------------------------
> Christopher Gautam Hota
> Information and Media Technologies
> University of Wisconsin - Milwaukee
> (414) 229-3186 office
> (414) 840-4682 cell
> ----------------------------------------------
>
>


Top

Re: VBScript for server security monitoring? by Susan

Susan
Sun Aug 10 00:48:16 CDT 2003

Grab a copy of this month's Win Net mag for Mark Minasi's article on pulling a
remote query
Microsoft Windows XP - Eventquery.vbs:
http://www.microsoft.com/TechNet/prodtechnol/winxppro/proddocs/eventquery.asp?frame=true

/s systemname /u username /p password option are needed for remote system

eventquery /L security /s remotepc /u jane /p password
Christopher Hota wrote:

> Hi all-
>
> First of all, sorry for the multiple cross-posts; I tried to pick out
> germane groups to post to, so sorry-in-advance if it's not appropriate.
>
> Anway, getting down to business:
>
> As one of three AD administrators for a campus of more than 50000 users, I'm
> a little strapped for time. However, one of the major things that needs
> paying attention to is security on servers -- especially domain controllers
> (the recent RPC exploit madness just reiterated that fact).
>
> What I'm wondering is what tools have other network admins [yes, you!] have
> used -- via VBScript and WMI -- to automate the process of security
> auditing.
>
> Ideally, I would have a vbscript that fires off once every fifteen minutes,
> looks for weirdness (ie, >400 failed log in attempts from the same
> workstation or for the same username) in the the logs of a list of
> computers, then output the results to a file, and, if weirdness was found,
> email a short text message to my phone. Is this even possible?!?!
>
> Thanks in advance,
>
> chris.
>
> ----------------------------------------------
> Christopher Gautam Hota
> Information and Media Technologies
> University of Wisconsin - Milwaukee
> (414) 229-3186 office
> (414) 840-4682 cell
> ----------------------------------------------

--
"Don't lose sight of security. Security is a state of being, not a
state of budget. He with the most firewalls still does not win.
Put down that honeypot and keep up to date on your patches. Demand
better security from vendors and hold them responsible. Use what
you have, and make sure you know how to use it properly and effectively."
~ Rain Forest Puppy

http://www.wiretrip.net/rfp/txt/evolution.txt


Top