Hack 12 deals with getting event log information. Hack 77 presents answers to common security-related FAQs, and Hack 98 talks about the Automated System Recovery (ASR), a new feature of Windows Server 2003 that makes recovering from a disaster a whole lot easier.
Windows Server Hacks 12: Get Event Log Information————————-
Need to check on the size and configuration settings of your event logs? Use this script instead of the GUI; it’s faster!
Monitoring event logs is an essential part of an administrator’s job. Unfortunately, viewing event log settings and log file sizes from the GUI is cumbersome, and it would be useful to have an easier way to obtain this information.
That’s exactly what this hack is all about. You can run the script on Windows NT/2000 and later to obtain the current file size, maximum file size, and number of records, and you can overwrite settings on the Application, System, and Security logs.
The Code
Type the following script into Notepad (make sure Word Wrap is disabled) and save it with a .vbs extension as loginfo.vbs. Or, if you like, you can download the script from the O’Reilly web site.
Best online Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com
Option Explicit
On Error Resume Next
Dim strMoniker
Dim refWMI
Dim colEventLogs
Dim refEventLog
Dim strSource
‘moniker string stub – security privilege needed to get
‘numrecords for Security log
strMoniker = “winMgmts:{(Security)}!”
‘append to moniker string if a machine name has been given
If WScript.Arguments.Count = 1 Then _
strMoniker = strMoniker & “\\” & WScript.Arguments(0) & “:”
‘attempt to connect to WMI
Set refWMI = GetObject(strMoniker)
If Err <> 0 Then
WScript.Echo “Could not connect to the WMI service.”
WScript.Quit
End If
‘get a collection of Win32_NTEventLogFile objects
Set colEventLogs = refWMI.InstancesOf(“Win32_NTEventLogFile”)
If Err <> 0 Then
WScript.Echo “Could not retrieve Event Log objects”
WScript.Quit
End If
‘iterate through each log and output information
For Each refEventLog In colEventLogs
WScript.Echo “Information for the ” & _
refEventLog.LogfileName & _
” log:”
WScript.Echo ” Current file size: ” & refEventLog.FileSize
WScript.Echo ” Maximum file size: ” & refEventLog.MaxFileSize WScript.Echo ” The Log currently contains ” & _ refEventLog.NumberOfRecords & ” records”
‘output policy info in a friendly format using OverwriteOutDated,
‘as OverWritePolicy is utterly pointless.
‘note “-1″ is the signed interpretation of 4294967295
Select Case refEventLog.OverwriteOutDated
Case 0 WScript.Echo _
” Log entries may be overwritten as required”
Case -1 WScript.Echo _
” Log entries may NEVER be overwritten”
Case Else WScript.Echo _
” Log entries may be overwritten after ” & _
refEventLog.OverwriteOutDated & ” days”
WScript.Echo
End Select
Next
Set refEventLog = Nothing
Set colEventLogs = Nothing
Set refWMI = Nothing
Running the Hack
To run the script, use Cscript.exe, the command-line version of the Windows Script Host (WSH). Simply type cscript loginfo.vbs at a command prompt from the directory in which the script resides. Here is a sample of typical output when the script runs on a Windows 2000 machine:
C:\> cscript loginfo.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
Information for the Security log:
Current file size: 65536
Maximum file size: 524288
The Log currently contains 166
records Log entries may be overwritten after 7 days
Information for the Application log:
Current file size: 524288
Maximum file size: 524288
The Log currently contains 2648 records
Log entries may be overwritten as required
Information for the System log:
Current file size: 524288
Maximum file size: 524288
The Log currently contains 2648 records
Log entries may be overwritten after 7 days
Note that when you run this script on a domain controller, it displays information concerning the Directory Service, File Replication Service, and DNS logs as well.
Steps to Computer Security
Q: What can I do to make sure my computer is secure?
A: It depends on whether you are a consumer or a business.
Consumers. Consumers should start by using an Internet firewall on all PCs and laptops. An Internet firewall can help prevent outsiders from getting to your computer through the Internet. If you use Windows Xp, enable the built-in firewall feature on that platform. You should also update your computer regularly, either by using the Automatic Updates feature or by regularly visiting the Windows Update web site to download the latest Microsoft security updates. Also, make sure your antivirus software is up-to-date; installing, configuring and maintaining your antivirus software is absolutely essential.
Businesses. Businesses should follow a similar but more involved procedure. Start by verifying the configuration of your firewalls for both Internet and intranet. By auditing your firewall configurations, you ensure they comply with your company’s security policy. Firewalls are your first line of defense, and best practice requires blocking all ports that are not actually being used by applications on your network. Business should also protect their networks by requiring employees to follow the precautions outlined by Microsoft (https://www.microsoft.com/protect/) on both their home PCs and laptops, especially if they use these machines to connect to your enterprise. PCs and laptops that VPN or RAS into your network must be protected by a properly configured firewall.
Businesses must also keep their systems up-to-date with the latest security patches from Microsoft. To do so, subscribe to Microsoft’s free security notification service and use Microsoft update services to automatically obtain patches for your network, see “Microsoft Security Tools” [Hack #78] (in the book) for more information. Finally, business should invest in antivirus software, because such protection is absolutely essential for keeping sensitive business data safe from attackers.
Vulnerability Types
Q: What are the vulnerability types that I need to monitor against?
A: There are three basic types of vulnerability:
* Administrative vulnerability: The failure to observe administrative best practices, such as using a weak password or logging onto an account that has more user rights than the user requires to perform a specific task.
* Product vulnerability: A security-related bug in a product that is addressed by a security bulletin/hotfix or a service pack.
* Physical vulnerability: The failure to provide physical security for a computer. Physical vulnerability can include leaving an unlocked workstation running in an area that is accessible to unauthorized users, leaving a server room unlocked or open, or losing a laptop or leaving it at a customer site.
Strong Password Policy
Q: What is the best practice to follow when creating policies for user passwords?
A: Each company’s security-level needs are different, but in general, strong passwords should be at least six characters long, should not contain all or part of the user’s account name, and should contains at least three of the four following categories of characters: uppercase letters, lowercase letters, Base 10 digits, and nonalphanumeric symbols found on the keyboard, such as !, @, and #.
How Microsoft Handles Security
Q: Is there any documentation on how Microsoft handles security against worms and viruses?
A: Yes. Microsoft has released a “Security at Microsoft” white paper on how they handle security issues (https://www.microsoft.com/downloads/details.aspx?FamilyID=73f1ba8e-a15c-4c05-be87-8d21b1372485).This paper describes what Microsoft’s Corporate Security Group does to prevent malicious or unauthorized use of digital assets at Microsoft. This asset protection takes place through a formal risk-management frame-work, risk-management processes, and clear organizational roles and responsibilities. The basis of the approach is recognition that risk is an inherent part of any environment and that risk should be proactively managed. The principles and techniques described in Microsoft’s white paper can be employed to manage risk at any organization.
Reporting Security Incidents to Microsoft
Q: How can I report a security incident or vulnerability to Microsoft?
A: If you have purchased Microsoft support, you should contact your Technical Account Manager (TAM). You can also use the web form at https://s.microsoft.com/technet/security/bulletin/alertus.asp to submit incidents and vulnerabilities.
Post your comments