If you’re using Microsoft’s hybrid management toolset, called Operations Management Suite (OMS), and in particular the Security and Audit solution, then read on to discover potential ways to enhance the data this solution uses.
Note: The material and points for this article are adapted from the Exam Ref 70-744 Securing Windows Server 2016 book.
OMS Security and Audit Solution
Firstly, here is an overview of the Security and Audit solution from the Exam-Ref book mentioned above:
The Security and Audit solution uses information gathered from the Security Event log, the
Application Event log, and the Windows Firewall log to assess several different security conditions. The agents on the computers always send this log information directly to the OMS service, even when the computers are part of a System Center Operations Manager (SCOM) group.
Notice the wording: “The agents on the computers always send this log information directly to the OMS service, even when the computers are part of a System Center Operations Manager (SCOM) group.”
This means that your endpoints either need direct Internet access to the OMS services (or through a proxy), or you can deploy the OMS Gateway. Here are some reference articles on both of these approaches:
- Configure proxy and firewall settings in Log Analytics
- Connect computers and devices to OMS using the OMS Gateway
Continuing our focus on the Security and Audit solution, we need to configure our servers to capture pertinent information to the Application, Security, and Windows Firewall logs.
Windows Security Event Log
Concerning the Windows Security Event log, the system’s auditing policy setting will affect what details are logged, and therefore also affects what OMS is able to read and react to.
If you’re not sure what to enable in your audit policy, Microsoft has a great starting point, found here: Microsoft’s Recommendations for Advanced Auditing Policy Settings.
These recommendations leverage the Security Compliance Manager tool and are applicable to both Client Operating Systems (like Windows 7 and Windows 8), and Server Operating Systems (Windows Server 2008 and above).
It also lists what the Windows Default settings are, along with providing a Baseline recommendation, and a more aggressive recommendation.
Application Event Log
To get the most from the Application Event Log, we need to configure our servers to log information about executable files, install scripts, and packages that are used.
You can do this by configuring the AppLocker policy settings; by browsing to Computer Configuration > Policies > Windows Settings > Security Settings > Application Control Settings > AppLocker.
If you right-click on AppLocker and open the Properties, on the Enforcement tab, select the Configured checkbox and the Audit Only setting for all of the policies.
You should also create a Rule for each of the types listed (Executable Rules, Windows Installer Rules, Script Rules, and Packaged App Rules).
When you create the Rule, keep the default settings, but choose the ‘Path’ option for the primary condition.
And for the Path value, use an asterisk (*) as a wildcard.
Finally, you should set the Application Identity service to start automatically. You can find this setting by browsing to Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
Now onto the Windows Firewall settings. By default, the Windows Firewall does not log any of its activities, so you must enable its logging.
To do this, browse to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.
Right-click on the Windows Firewall with Advanced Security policy and open the Properties.
For each of the profiles (Domain, Private, Public), click on the Customize button under Logging, and in the Customize Logging Settings dialog, use these settings:
- Size limit (KB): 100
- Logged dropped packets: Yes
- Log successful connections: Yes
Most organizations will have their own security policies and settings, however, some of the listed suggestions and recommendations may be new to you.
It is recommended that you implement these in a non-Production environment, in order to evaluate the applicability to your specific environment, and to avoid any unexpected affects.