Net Report Configuration Guide for WMI on Windows 2000 & XP

(1)

Net Report Configuration Guide

for WMI

(2)

http://www.net-report.net

2

About This Document

Purpose

This Net Report Configuration Guide for Net Report WMI for Windows logs for Net Report Versions 3.12 and later explains how to configure Microsoft Windows Management Instrumentation (WMI) for Net Report on computers on Windows 2000 and XP.

Note: note that Net Report treats the Microsoft Windows Event Viewer Application, Security and

System logs. Therefore this document includes instructions on how to configure Microsoft Event Viewer logs and Microsoft Local Security Policy Console for Net Report along with guidelines on how to

configure Net Report for Microsoft WMI.

Scope

This document explains how to install and configure the Net Report for WMI (Microsoft Windows Management Instrumentation, Event Viewer Application, Security and System logs). The document is divided as follows:

Task 1: Configuring the Audit Policy in the Microsoft Local Security Policy Console.

Task 2: Configuring the Audit Object Access for Sensitive Files/Directories via Microsoft

Explorer.

Task 3: Configuring Application, Security and System Logs via Microsoft Event Viewer.

Related Information

Please read the following documents which are related to Net Report’s technical documentation: Copyright Notice:

http://www.net-report.net/downloads/WebDoc/Copyright/Net_Report_Copyright_Notice.pdf

Code and Icon Conventions:

http://www.net-report.net/downloads/WebDoc/Conventions/Net_Report_Code_and_Icon_Conventions.pdf Online Help: http://www.net-report.net/us/support/sup_userhelp.html Troubleshooting: http://www.net-report.net/us/OurDocuments/NRFAQs.htm Glossary: http://www.net-report.net/knowledgebase/UserHelp/16_Net_Report_Glossary/Net_Report_Glossary_2.0.1.htm

(4)

4 Technical Specifications

The guidelines given in this document are applicable to the Microsoft Event Viewer, Microsoft Local Security Policy Console and Net Report 3.12 and greater. The Microsoft Event Viewer and Local

Security Policy Consolers are browser-based configuration tools designed to help you set up, configure and monitor your Enterprise’s Applications, Security and Systems easily.

Audience

This document addresses both basic and advanced Net Report users. This Guide is also written for System Administrators who are responsible for maintaining network security. It assumes you have a basic understanding and a working knowledge of:

Microsoft Windows Management Instrumentation. System Administration.

Unix or Windows Operating Systems. Windows GUI.

(5)

Task 1: Configuring Audit Policy in the Microsoft Local Security

Policy Console

Please note that this section is optional, configure the auditing policy which you require and which is appropriate for your Enterprise Configuration (please note that the dashboard you generate will contain

“No Data Available” for each Policy that you have not configured.

Please configure your Enterprise computers to ensure they log the necessary information for WMI for Net Report to correctly treat the log data. This section explains how to define the Audit Policy for Net Report WMI Dashboards on each computer that you wish to monitor which you specified in the Net Report Management Console Microsoft WMI Agent Domain List of Computers. To do so, please follow the steps below.

Steps

1. Select Start> Control Panel> Administrative Tools> Local Security Policy. The Microsoft

Local Security Policy console appears.

2. Select Security Settings> Local Policies> Audit Policy in the left Security Settings pane.

(6)

6

3. Double-click on each of the following Policies in the central Policy pane to authorize that the

Success and Failure audits for each policy be audited:

a. Audit account logon events b. Audit account management c. Audit directory service access d. Audit logon events

e. Audit object access f. Audit policy change g. Audit privilege use h. Audit process tracking i. Audit system events

4. Select the Success and Failure check boxes in the Local Security Setting tab.

(7)

Task 2: Configuring Audit Object Access for Files & Directories in

Microsoft Explorer

Warning: please limit the number of files and directories you audit with the Audit Object Access, since

this can lead to performance problems.

Please note that this section is optional, configure the Audit Object Access which you require and which is appropriate for your Enterprise Configuration (please note that the dashboard you generate will contain

“No Data Available” for each Policy that you have not configured.

To audit access to specific files and directories that may be sensitive for your organization, you must perform the following two steps:

Enable the Audit Policy –

o Select the Audit Object Access Policy in the Local Security Settings

o Select the Success and Failure check boxes (please see task 4 for details).

Enable auditing on the individual files and directories you wish to audit.

o This section explains how to enable auditing on those files and directories that you want to monitor.

(8)

8 Steps

1. Open Microsoft Explorer, browse to locate the file you want to audit. 2. Right-click on the file you want to audit. The context menu appears.

(9)

3. Select Properties. The [FileName] Properties dialog box appears.

4. Select the Security tab.

(10)

10 6. Select the Auditing tab.

(11)

8. Type Everyone in the Enter the object name to select field.

9. Click Check Names. Everyone will be underlined.

(12)

12

10. Click OK. The Auditing Entry for [FileName] dialog box appears.

11. Select the Access you wish to Audit and then click OK.

12. Verify that the Audit is working on your specified file (in this case explorer.exe) select Start> Run

and then type the file name specified. You should see an Object Access event in the Event

Viewer.

Note: if you have Microsoft Active Directory setup, you can also use Group Policy to automatically set

(13)

Task 3: Configuring Microsoft Event Viewer Application, Security

and System Logs

Steps

1. Select Start> Control Panel> Administrative Tools> Event Viewer. The Microsoft Event

Viewer console appears.

2. Note the three Event Viewer logs which Net Report monitors:

(14)

14

3. Follow the same procedure for each Event Viewer Log, that is for the:

a. Application log,

b. Security log

c. System Log

This section uses the Application log as an example, you must repeat the same procedure for the Security and System logs as well.

4. Right-click on the Event Viewer Log you want to configure, in this example, right-click on the

Application log. The context menu appears.

5. Select Properties in the Event Viewer> [LogName] context menu..

(15)

The [LogName] Properties dialog box appears.

6. Increase the value in the Maximum log size field (if necessary) by using the combo box.

7. Select the Overwrite events as needed options button.

Note: if an Event Viewer log is full, the WMI agent will not receive anymore log data. Therefore, please

ensure that either the Overwrite events as needed options button is selected, or that you have specified an appropriate number of days of events to keep before they are overwritten.

8. Consider creating a scheduled task to either export or save your Event Viewer logs on a regular basis, e.g. every two days (for International Regulatory purposes for example).

(16)

16

9. Select the Filter tab. Ensure that the following five check boxes are selected in the Eventtypes

zone:

a. Information

b. Warning

c. Error

d. Success audit

e. Failure audit

10. Click OK.

Note: please download the Net Report WMI Dashboard Presentation for information on how to get

(17)

Contacting Net Report

For Technical Support, please contact us:

By e-mail at: [email protected]

By Telephone on: +33 (0)46 784 4800

By Fax on: +33 (0)46 784 4811

By post at: Net Report Headquarters,

130 rue Baptistou, ZAE Nord,

34980 Saint Gély du Fesc, FRANCE

For Sales Enquiries, please contact us:

By e-mail at: [email protected]

By Telephone on: +33 (0)1 46 84 15 66

By post at: Net Report Sales Offices,

Allasso France,

Immeuble Europe Avenue,

3ème et 4 ème étage (Reception), 62 Bis av André Morizet,

92 643 Boulogne-Billancourt Cedex, FRANCE

Net Report Configuration Guide for WMI on Windows 2000 & XP