I ran across an interesting document today at the MS Download Center entitled, "The Security Monitoring and Attack Detection Planning Guide" (in PDF).
So far, all I've given it is a quick glance, but it looks like it has some fairly good information in it. For example, chapter 2 discusses tools for correlating security events. But there's a big "uh-oh" in there, too. The document mentions the Event Comb MT tool used for correlating Security Event Log entries (and ONLY Security Event Log entries) from across machines...but then goes on to state that Event ID 12294 (account lockout threshold exceed on the default Administrator account) is reported to the System Event Log. Doh!
For the most part, it looks like the document really addresses a lot of the common sense things that MS has been pushing for years...things like taking a look at who has Admin privileges in your organization (and why they have it), taking a system-wide approach to design (rather than a band-aid, patch it up approach), etc.
Overall, it does look like a good resource, if for no other reason than for providing Appendix A, "Exclude Unnecessary Events". This is one of those sections that made me go "hhhhmmmm"...if an event is "typical behaviour" and deemed "unnecessary", why was it included at all? Well, at least MS has provided some kind of an explanation of various events, so rather than knocking them, I'll thank them.
No comments:
Post a Comment