Re: How to automatic send an e-mail when an event occurs?

From: Scott (nomail_at_microsoft.com)
Date: 02/18/05 

Date: Fri, 18 Feb 2005 10:54:13 -0700

Might poke around here...

CyberCop:
http://www.nai.com

CyberCop Monitor is a real-time system designed to protect servers.
CyberCop automates the process of detecting intrusions and sends
customized automatic responses. For example, if an authorized user
attempts to modify content of a file where access is denied, CyberCop
can be configured to logout the intruder and notify the administrator
that the attempt occurred, while allowing authorized users continued use
of the resource.

CyberCop is designed to detect and attack tampering including
unauthorized changes in user privileges, illegal Web site content
modification and illegal logins. When intrusions are detected, CyperCop
can be configured to respond in various ways including terminating the
offending process, terminating offending login connections, and
disabling offending accounts.

CyberCop combines packet analysis with assessment of the event logs,
providing an audit trail query and reporting features to document
security breaches, suspicious activity, policy violations, and resource
utilization, including a record of when intrusions or misuse are
detected. Developed under the Microsoft Management Console user
interface, CyberCop provides an easy to use graphical interface for
local or remote reporting, and remote installation. The configuration
editor allows for custom settings and thresholds to suit the
environment, including security profiles, account groups, time and subnets.

Kane Security Monitor:
http://www.cstl.com/html/info/idi/ksm.htm

The Kane Security Monitor (KSM) is a real-time intrusion detection
system designed to protect servers and workstations on the network. KSM
provides enterprise-wide centralized collection of event logs otherwise
stored separately on each machine. By automatically reviewing the event
logs, KSM searches for patterns of misuse and signatures related to
well-known security attacks.

KSM analyzes NT Security event logs on an enterprise-wide basis and is
able to continually monitor NT security event logs on thousands of NT
servers and workstations. Using artificial intelligence technology,
security event logs are scrutinized for abuse patterns including
unauthorized activities and suspicious behavior from outside hackers and
inside authorized users. This process automatically turns massive
amounts of NT security event log data into concise security information.

KSM will send customized alerts when intrusions are detected. However,
KSM is unable to terminate the intrusion or take actions such as logging
out the offender. In addition KSM requires the installation of a
software module on the client computers. Notwithstanding these two
issues, KSM is less expensive than some other products and therefore
should be evaluated.

Tripwire:
http://www.tripwire.com/products/

Whereas this product does not analyze the logs, Tripwire is a useful
intrusion detection tool. Tripwire provides protection for file
systems. Tripwire's software works by taking a picture of critical
files and sounding the alert when the files change. The changing of the
files is the clue that warns the system that possible intrusion is
taking place.

Summary:

A thorough understanding of the event log files can assist in
maintaining a secure computing environment. Auditing must be configured
and enabled in such a way that meaningful information is collected. The
event logs should be collected from all networked systems and stored in
a central location. The amalgamated logs can then be analyzed to find
and detect intrusions.

As Windows NT and Windows 2000 are more fully deployed in environments
requiring high security, more advanced tools to analyze the event logs
will be developed. As various forms of artificial intelligence are
deployed to analyze the event logs, the effectiveness of IDS systems
will be improved. Any overall security strategy must incorporate
analysis of the Windows NT security log to detect and isolate intrusion
attempts which have overcome other security measures including
authentication and access control.

References

Account Lockout Event Also Stored in Security Event Log
   on Domain Controller - Microsoft Knowledge Base Article Q182918
        http://support.microsoft.com/support/kb/articles/q182/9/18.asp

Auditing User Authentication - Microsoft Knowledge Base Article Q174073
http://support.microsoft.com/support/kb/articles/q174/0/73.asp

How to Identify the User Who Changed the Administrator Password -
Microsoft Knowledge Base Article Q173939
        http://support.microsoft.com/support/kb/articles/q173/9/39.asp

Introducing the NT Security Log - Smith, Franklin, Windows 2000
Magazine, March 2000

Interpreting the NT Security Log - Smith, Franklin, Windows 2000
Magazine, April 2000

Microsoft Security Configuration Manager for Windows NT 4 - Microsoft
Technote
        http://www.microsoft.com/technet/winnt/winntas/technote/scmnt4.asp

Monitoring Privileges and Administrators in the NT Security Log -
Smith, Franklin, Windows 2000 Magazine, June2000

Protecting the NT Security Log - Smith, Franklin, Windows 2000
Magazine, July 2000

Real-Time Intrusion Detection for Windows NT Based on Navy IT-21 Audit
Policy - Kremer, Steven H, MASc Thesis, San Diego State University,
September 1999 -
http://www.cs.nps.navy.mil/people/faculty/rowe/kremerthesis.htm

Security Event Descriptions - Microsoft Knowledge Base Article Q174074
        http://support.microsoft.com/support/kb/articles/q174/0/74.asp

Windows NT Security: Step by Step - Fossen, Jason, and Jennifer Kolde,
  The SANS Institute GIAC Training, 2000.

Jaime Stuardo wrote:
> Hi all..
>
> Is there a way, in Windows Server 2003, to automatically send an e-mail to
> the Administrator when something occurs in the server? for example reboot,
> some new windows update available, some hacker attack or something?
>
> Thanks
> Jaime
>
>