How to Look for Suspicious Activities in Windows Servers

You are running a large production environment with many Windows servers.
There are multiple forests in the network and some forests have multiple domain controllers.

Your Windows server security is paramount – you want to track and audit suspicious activities and view detailed Windows reports extracted from the Windows servers event logs.

Read the article, with images and design here > https://www.xplg.com/windows-servers-security-suspicious-activities/

Looking for suspicious activities in Windows is important for many reasons:

• There are more virus and malware for Windows than Linux.
• People often leave their remote desktop sessions running when they disconnect, making those sessions prime targets for unauthorized takeover.
• Service accounts are often made domain administrators circumvent access issues.
• Known passwords of service accounts become open backdoors for hackers.
• Antivirus and local firewalls are sometimes disabled to get acceptable application performance.
• Patching cycles are missed or sometimes altogether ignored, making Windows systems vulnerable to potential attacks.

Bottom line: Prevention is better than cure, that’s why all possible security measures should be taken.

Download XpoLog 7 free and discover suspicious events automatically!Boom > http://bit.ly/2XGJOJV,

Windows Server Reports
There should be a robust security monitoring process in place.

This type of monitoring keeps an eye on who or what’s logging into a Windows server and when, and if those log in events look suspicious or out of normal.

This not only helps catch potential threats early, but it also provides a trail to follow when a breach happens.

Windows Reports – What to look for?
As a security conscious administrator, you want to keep an eye on a number of events such as:

• Successful or failed login attempts to the Windows network, domain controller or member servers.
• Successful or failed attempts of remote desktop sessions.
• Password lockouts after repeated login attempts.
• Successful or failed login attempts outside business hours.
• Adding, deleting or modifying local or domain user accounts or groups.
• Adding users to privileged local or active directory groups.
• Clearing event logs in domain controllers or member servers.
• Changing local audit policies and group policies.
• Changing or disabling Windows firewall or firewall rules.
• Adding new services, stopping or deleting existing services.
• Changing registry settings.
• Changing critical files or directories.

In this tutorial, we will talk about enabling some important security audits in Windows servers to help catch possible threats.

After reading this tutorial: you will have enough information to boost your Windows servers security level and workstation fleet and protecting them against malicious activities!

Read the full article here > https://www.xplg.com/windows-servers-security-suspicious-activities/

42 Critical Security Events To Follow
There are some critical security-related events you should include in your audit views and regular searches.

We have compiled a list of these event IDs and their descriptions in this helpful “cheat sheet". You can access the list from the article on our blog as well.