2.8 Keeping Your Eyes Open

The key to successful security is constant vigilance. While you can configure your servers with strong passwords, restrictive security policies, and powerful network protection, attackers can almost always find a way to get through if they're determined enough. The only way to catch them is to constantly be on your guard. This includes watching for security intrusion signs, patching security vulnerabilities immediately, and remaining alert for new conditions that could expose your enterprise to attack.

Windows Server 2003 provides a number of tools for monitoring security. The Windows Event Log has an entire Security Log in it, and Windows supports complete security auditing for file and object access, user logons, and so forth. You'll learn more about auditing in Chapter 15, where I'll also discuss the Security Log in more detail and show several types of security events that you can look for in your environment. Web sites, DNS services, and many other network services maintain their own logs, which you can review for possible security problems. You'll learn about those services and their security implications throughout this book.

Of course, you'll want to establish a regular pattern of security checks in your environment. That way, you'll be sure to check each and every facet of your organization that is open to security breaches. The exact contents of a security checklist will depend on your organization's security needs, but might include:

Checking the Security Event Log for any unusual messages

If you've enabled auditing, watch for events that indicate a user is being repeatedly denied access to a file. That behavior may indicate an in-progress attack.

Watching the Security Event Log for logon failures

These are often a first pointer to attackers performing a dictionary attack, both successful and not.

Inventorying servers' software regularly

Regular inventories of software installed on all servers should be conducted to be sure unauthorized software hasn't been installed. Use the Task Manager to view running processes and make sure each process is approved within your organization.

Reviewing firewall and intrusion detection system logs to look for attacks

Some firewall products can even scan their own logs for common attacks and alert you automatically; check your firewall product to see if it has this or other intrusion detection features.

Chapter 15 contains a more complete guide to ongoing auditing and security maintenance.