Make Active Directory Easy – Avoid Event Logs!

Featured Article By John McCann, Co-Founder of Visual Click Software

For IT professionals tasked with managing their company networks with Windows and Active Directory, event logs can be overwhelming. It’s an incredible amount of data to go through without having a true native management and reporting tool on hand.

If, for example, an IT manager discovers a secure file has been compromised, finding out who accessed it, where they accessed it from and how they received the necessary permissions would require someone to manually sort through thousands of lines in one or more event logs. This requires time that companies often don’t have when facing the risk of a data breach.

Because of this exhaustive nature, native event logs can result in security failures for enterprises of all sizes. Basically, without dedicated management, log files can be rendered useless in producing forensics of critical events. This is the reason more organizations wish to avoid event logs altogether by using a third party Windows Active Directory management system, such as Visual Click’s CPTRAX. The best solutions operate independently of event logs. Tools that work on top of Event Logs don’t solve the problem; they require specific configurations that are not uniformly implemented due to the nature of native logs and can lead to incomplete event tracking.

Here are three reasons more companies are looking to avoid event logs altogether:

• 1.      Implementation and Analysis Are Not Easy

Windows Event Logs must be configured in many different ways to help aid in preventing unwanted events. First, System Access Controls Lists (SACLs) must be created for objects and then be monitored. IT managers can define certain instances they wish to be alerted about. In order to do so, however, the user must know specific event codes and event sources. Improper definition of what events need to be logged can lead to important security related actions or events not getting logged or reported. In fact, in many cases, nothing is defined and every piece of activity is audited, and as a result, there are far too many events to review efficiently.

Once collected, the logged events must be analyzed. The Windows Event Log native “event viewer” provides the ability to perform analysis of recorded events whenever needed, but it requires the user to be well versed in what data they want to extract and analyze.

• 2.      Limited IT Budgets Make Continuous Monitoring Next to Impossible

Many companies do not employ experts on Active Directory or even Windows. Many of those who end up responsible for monitoring event logs aren’t experts on Active Directory and are forced to simply do their best despite not having the skills or time to handle the complexity of the planning and implementation of Windows Event Logs. Because of this, log analysis typically turns into a reactive process and is only done when an issue has been discovered through other methods. Without processes designed and put in place to ensure event logs are routinely and actively monitored, their effectiveness drops and they become more of a method to document historical evidence for later use than as a security defense mechanism.

• 3.      Other Options to Event Logs Do Exist!

While Microsoft does not include a native out-of-the-box solution to integrate into the event logs analysis process, there are a variety of third party solutions, such as Visual Click’s CPTRAX, available. These solutions allow companies to take a more proactive approach in monitoring events. They allow single point event configuration as well as allowing companies to react to a breach almost instantaneously, as these solutions can be easily customized with real-time alerting of selected events.

Security is more important than ever. However, the inefficiencies in event monitoring and log analysis continue to be an issue and a consistent weakness in many companies’ security defense plans. Commercial solutions that simplify the monitoring and auditing of important Active Directory events benefit customers by being the “expert” and providing relevant real-time information to aid in breach discovery and compliance with regulatory requirements.

About The Author

John McCann, co-founder of Visual Click Software, has more than 33 years of experience in the software industry. Since 1986, he has developed an array of network management and reporting tools for Novell’s NetWare and Windows’ NT networks. In 1987, he helped create the software metering industry, being called the father of software metering by the New York Times (August 21, 1994) and others. In the summer of 1989 he helped Novell create the NLM Developer’s Toolkit. In the fall of 1989 he wrote the NetWare Supervisor’s Guide which enjoyed 7 reprints though 1995. In late 1989 he worked closely with Novell to develop the NetWare Name Service (NNS) which became Novell’s NDS/eDirectory. Throughout the period 1988-1990 he served as the lead SysOp (System Operator) for Novell’s forums (i.e. newsgroups) on The Source and on Compuserve. In October of 1993 Mr. McCann released SofTrack which has provided Software Metering solutions for more than 14,000 customers worldwide. In late 1996, Mr. McCann first envisioned Visual Click Software’s first product, DSRAZOR.