Newsletters
|
| For media and analyst queries, please contact:
Harmala Singh-Francois Phone: (443) 539-3773 hfrancois@prismmicrosys.com |
EventSource May 2007 – The New Face of Security Attacks: The Danger Within!
Featured Article
Automate Vista Events
Microsoft has made some considerable changes to event management in Windows Vista. One major change is the way you can link events to automated tasks. This article is the fourth in a series that demystifies the Vista Event Log.
by Danielle Ruest and Nelson Ruest
When you manage events, you often wish you could generate automatic actions when specific events occur. For example, it would be nice if you could automatically delete temporary files and send a notification to desktop technicians when PC disk drives get too full. In another scenario, it would be nice if you could receive automatic notification when unauthorized users try to log on to workstations that contain access to highly sensitive or confidential information. Or even better, display a message telling users they are trying to access unauthorized systems and then, send an email to appropriate authorities.
All of these things are now possible in Windows Vista. This is because Microsoft has revamped both the Event Log and the Task Scheduler and linked both together. Vista’s Task Scheduler is a much more powerful engine for task management and automation. And, when it is linked to the Event Log, the Task Scheduler becomes a strong engine for proactive systems management.
Linking events to automated tasks is a very straightforward process. It can be done in one of three ways:
- Through the Task Scheduler
- Through the Event Viewer
- Through the command line
When creating either a basic or an advanced task in the Task Scheduler, you can select an event as the trigger for the task. Use the following procedure:
- Create a new task (either basic or advanced).
- Name the task and assign its credentials.
- Select On an event as the task trigger.
- Choose either Basic or Custom as the event setting.
- Basic settings let you select which event log will be the source of the event, then which event source and finally, which event ID to look for (see Figure 1).
- Custom settings let you create an Event Filter, letting you determine exactly how the task should be launched based on a series of filtered conditions.
- Then continue adding the task properties such as conditions, actions and settings.
That’s it, simple isn’t it? It gets even better when you generate the task from the Event Viewer. Here you repeat much the same process, except that the task is generated from the event itself instead of the other way around.
Figure 1. Using the Basic Setting to Attach a Task to an Event
When you create an automated task from the Event Viewer, use the following procedure:
- First locate the event you want to attach the task to. You can either drill down to the event or create a filter to locate the event.
- Next, either right-click on the event to select Attach Task To This Event or use the action pane to click on the same command.
- This automatically launches the Basic Task wizard.
- Run through the wizard’s panes to generate the task.
Figure 2. Generate a Task from an Event
The last method is to use the command line to link a task to an event. To do so, you will need several values:
- The Event Log from which the event is generated
- The source of the event
- The event ID
These values can be obtained either through the Event Viewer or through the wevtutil.exe command using the proper switches. For example, you might use:
wevtutil qe Security /c:n /rd:true /f:text
which would query the Security Event Log to obtain the latest events by reversing the list of events (/rd:true) and displaying then in text format (/f:text) as opposed to the default XML format. In this command line, the value for n should be a number indicating how many events you want returned by the command.
Then, once you have the values you need, you can use the Task Scheduler command to generate the task. For example, you might use:
schtasks /create /TN taskname /TR action /SC ONEVENT /EC System /MO *[System/EventID=IDnumber]
where taskname is the name you want to assign to the task, action is the action to perform, and IDnumber is the ID number of the event which will act as a trigger for the task. In this example, the source Event Log is the System log. The task schedule is based on the occurrence of the event and is modified to identify the event ID.
As you can see, the combination of the Event Log with the Task Scheduler opens the door for several system management activities. And, since Vista offers a much more detailed and rich event management structure, the possibilities are endless. Tasks can be generated on one machine and exported in XML format to be imported to any other system.
In addition, tasks can run either locally or remotely. This is because Vista includes an updated implementation of Microsoft’s remote management infrastructure: Windows Remote Management (WinRM). In the next article, we will examine the remoting capabilities of the Vista Event Log as we take an in-depth look at WinRM and its use as the engine for collecting events from remote machines and sending them to a central event collector system.
About the Authors
Danielle Ruest and Nelson Ruest, MCSE+Security, MCT, Microsoft MVP, are IT professionals specializing in systems administration, migration planning, software management and architecture design. They are authors of multiple books, and are currently working on the Definitive Guide to Vista Migration (www.realtime-nexus.com/dgvm.htm) for Realtime Publishers as well as the Complete Reference to Windows Server Codenamed “Longhorn” for McGraw-Hill Osborne. They have extensive experience in systems management and operating system migration projects.
Hot Topics
The Top 5 Internal Security Threats
For years, the specter of viruses, trojans and worms caused many a chief security officer to lose sleep. But it’s the enemy within that is now prompting IT staffers to ramp up security efforts. According to Forrester Research, the majority of security breaches involve internal employees, with some estimates as high as 85 percent.
Cool Tools and Tips
How to Audit Server Room Security
The server room is a service provider. Anything that disrupts -- or has the potential to disrupt -- the services fulfilled by the server room is a vulnerability that must be addressed promptly. It is critical to periodically conduct an audit to identify risks that affect the physical security, practices and continuity of the server room.
Fifty Critical Alerts for Windows Servers
Identify the most important events generated by your windows servers for quick and efficient resolution. The strategic benefit of monitoring these critical events combined with a robust resolution strategy is significant for the reduction of IT costs while ensuring increased service availability and enhanced security for your enterprise.
Industry News
USDA Admits to Massive Data Breach
USDA officials said the agency became aware of the potential exposure of Social Security numbers on April 13, when a funding recipient notified the agency that she was able to ascertain identifying information on the government web site.
Lawmakers Decry Continued Vulnerability of Federal Computers
Recent hacks into government networks that maintain sensitive information have generated a growing recognition that current federal mandates are inadequate to prompt improved security.
Prism Microsystems Announces New EventTracker Training Program
Prism Microsystems now offers a public training course for all EventTracker users - Essential EventTracker for Technical Professionals. This 2-day hands-on training class is designed for technical professionals who are responsible for implementation, configuration and day-to-day usage of EventTracker to monitor, analyze and report on event log data. The first class will be held June 19-20, 2007.
Featured Webinar
Improve Data Security and Meet the PCI-DSS Compliance Requirement
With the recent reports of stolen credit card information, achieving and maintaining compliance with PCI regulations has become critical. The cost of recovering from such incidents is extremely high in terms of both IT costs and loss of consumer trust. Are you sure your data is as secure as it should be? This webinar will discuss the PCI-DSS compliance requirements, how to improve your data security, and how EventTracker can help you maintain confident compliance.
Legal
This document is provided for informational purposes only. The information contained in this document represents the current view of Prism Microsystems, Inc. on the issues discussed as of the date of publication. Because Prism must respond to changes in market conditions, it should not be interpreted to be a commitment on the part of Prism and Prism cannot guarantee the accuracy of any information presented after the date of publication.
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND FREEDOM FROM INFRINGEMENT.
The user assumes the entire risk as to the accuracy and the use of this document. This document may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) All copies must contain Prism's copyright notice and any other notices provided therein; and 3) This document may not be distributed for profit. All trademarks acknowledged. Copyright Prism Microsystems, Inc. 2005.
Prism Microsystems, Inc.
6990 Columbia Gateway Drive Suite 250
Columbia MD 21046