Module 8: Monitoring and Reporting Contents Overview Planning a Monitoring and Reporting Strategy Monitoring Intrusion Detection Monitoring ISA Server Activity 14 Analyzing ISA Server Activity by Using Reports 19 Monitoring Real-Time Activity 27 Testing the ISA Server Configuration 32 Lab A: Monitoring and Reporting 34 Review 41 Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2001 Microsoft Corporation All rights reserved Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners Instructional Designer: Victoria Fodale (Azwrite LLC) Technical Lead: Joern Wettern (Independent Contractor) Program Manager: Robert Deupree Jr Product Manager: Greg Bulette Lead Product Manager, Web Infrastructure Training Team: Paul Howard Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui, Ron Mondri, Thomas W Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner Graphic Artist: Andrea Heuston (Artitudes Layout & Design) Editing Manager: Lynette Skinner Editor: Stephanie Edmundson Copy Editor: Kristin Elko (S&T Consulting) Production Manager: Miracle Davis Production Coordinator: Jenny Boe Production Tools Specialist: Julie Challenger Production Support: Lori Walker ( S&T Consulting) Test Manager: Peter Hendry Courseware Testing: Greg Stemp (S&T OnSite) Creative Director, Media/Sim Services: David Mahlmann CD Build Specialist: Julie Challenger Manufacturing Support: Laura King; Kathy Hershey Operations Coordinator: John Williams Lead Product Manager, Release Management: Bo Galford Group Manager, Business Operations: David Bramble Group Manager, Technical Services: Teresa Canady Group Product Manager, Content Development: Dean Murray General Manager: Robert Stewart Module 8: Monitoring and Reporting iii Instructor Notes Presentation: 45 Minutes Lab: 30 Minutes This module provides students with the knowledge and skills to monitor Microsoft® Internet Security and Acceleration (ISA) Server 2000 activities by using alerts, logging, reporting, and real-time monitoring After completing this module, students will be able to:
Plan a strategy for monitoring and reporting ISA Server activities
Configure alerts to monitor intrusion detection
Configure logging to monitor ISA Server activity
Use reports to analyze ISA Server activity
Monitor ISA Server computer activity
Test the ISA Server configuration Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module Required Materials To teach this module, you need the following materials:
Microsoft PowerPoint® file 2159A_08.ppt
The file C:\MOC\2159a\Labfiles\Lab09\portscan.cmd Preparation Tasks To prepare for this module, you should:
Read all of the materials for this module
Complete the lab
Study the review questions and prepare alternative answers to discuss
Anticipate questions that students may ask Write out the questions and provide the answers
Read “Configure Monitoring and Reporting,” “Monitoring and Reporting,” “Event Messages,” and “Performance Counters” in ISA Server Help
Read Module 8, "Monitoring and Optimizing Performance in Windows 2000," in Course 2152B, Implementing Microsoft Windows® 2000 Professional and Server
Review the \sdk\bin\isasdk.chm file on the ISA Server compact disc iv Module 8: Monitoring and Reporting Instructor Setup for Lab Lab A: Monitoring and Reporting
To prepare for the lab: Open a command prompt window At the command prompt, type cd C:\MOC\2159a\Labfiles\Lab8 When a student asks you during the lab to perform a simulated port scan attack, type portscan ip_address (where ip_address is the IP address of the student’s ISA Server computer on the classroom network), and then press ENTER Module 8: Monitoring and Reporting Module Strategy Use the following strategy to present this module:
Planning a Monitoring and Reporting Strategy Begin the module by describing the guidelines to consider when planning a monitoring and reporting strategy
Monitoring Intrusion Detection When describing the different types of network intrusion, not explain each attack in detail, but use one or two of them as examples Emphasize that although ISA Server generates events when an intrusion attack occurs, ISA Server generates alerts only if you specifically configure ISA Server to so Do not cover all of the ISA Server events in detail Instead, refer students to ISA Server Help for more information about specific events
Monitoring ISA Server Activity Explain that logging to a database can centralize ISA Server logs and secure the log data Emphasize that logging both allowed packets and blocked packets can cause a considerable load on the server and that you should enable logging for allowed packets for diagnostic purposes only
Analyzing ISA Server Activity by Using Reports Explain that ISA Server reports require summaries of saved logs and that you can create an ISA Server report only after ISA Server has created at least one daily summary Emphasize that if a server belongs to a multiserver array, the administrator generating the reports must have the appropriate permissions on each ISA Server computer in the array Briefly display an example of each report format to illustrate the contents of the reports
Monitoring Real-Time Activity Explain that the ISA Server real-time monitoring feature enables you to centrally monitor ISA Server computer activity, including the current sessions Point out the ISA Server Performance Monitor on the Microsoft ISA Server menu
Testing the ISA Server Configuration Explain that after configuring ISA Server, it is recommended that you test your configuration to ensure that ISA Server correctly enforces the security settings Explain that you can use a third-party intrusion detection system or the applications that are included with Windows 2000 to test the ISA Server configuration v vi Module 8: Monitoring and Reporting Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Important The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000 Lab Setup The following list describes the setup requirements for the lab in this module Setup Requirement The lab in this module requires that ISA Server be installed on all ISA Server computers To prepare student computers to meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000
Perform a full installation of ISA Server manually Setup Requirement The lab in this module requires that the ISA Server administration tools be installed on all ISA Server client computers To prepare student computers to meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000
Install the ISA Server administration tools manually Setup Requirement The lab in this module requires that the Firewall Client be installed on all ISA Server client computers To prepare student computers to meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000
Install the Firewall Client manually Module 8: Monitoring and Reporting vii Setup Requirement The lab in this module requires that the all ISA Server client computers be configured to use the ISA Server computer’s IP address on the private network as their default gateway To prepare student computers to meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000
Configure the default gateway manually Setup Requirement The lab in this module requires that Microsoft Internet Explorer be configured on all student computers to use the ISA Server computer as a Web Proxy server To prepare student computers to meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000
Configure Internet Explorer manually Setup Requirement The lab in this module requires that Internet Information Services (IIS) be configured on all ISA Server computers to use Transmission Control Protocol (TCP) port 8008 for the default Web site To prepare student computers to meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000
Configure IIS manually Setup Requirement The lab in this module requires a protocol rule on the ISA Server computer that allows all members of the Domain Admins group to gain access to the Internet by using any protocol To prepare student computers to meet this requirement, perform one of the following actions:
Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000
Create the rule manually Setup Requirement The lab in this module requires that packet filtering be enabled on the ISA Server computer To prepare student computers to meet this requirement, perform one of the following actions:
Complete Module 6, “Configuring the Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000
Enable packet filtering manually viii Module 8: Monitoring and Reporting Lab Results Performing the lab in this module introduces the following configuration changes:
Intrusion detection is enabled
Alerts are configured for port scanning
Reports are created
The ISA Server computer is published as a Network News Transfer Protocol (NNTP) server
The ISA Server client computer is published as a Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) server Module 8: Monitoring and Reporting Overview Topic Objective To provide an overview of the module topics and objectives Lead-in In this module, you will learn about monitoring ISA Server activities by using alerts, logging, reporting, and realtime monitoring
Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection
Monitoring ISA Server Activity
Analyzing ISA Server Activity by Using Reports
Monitoring Real-Time Activity
Testing the ISA Server Configuration *****************************ILLEGAL FOR NON-TRAINER USE****************************** Without a monitoring and reporting strategy in place for a Microsoft® Internet Security and Acceleration (ISA) Server 2000 computer, network administrators may be unaware of important events or trends, be confronted with a profusion of false alerts, or configure logs and reports that not monitor the appropriate activities By using alerts, logs, reports, and real-time monitoring effectively, network administrators can better manage the activities that can compromise the security or the performance of an ISA Server computer In addition, network administrators can use specialized assessment tools to monitor network security After completing this module, you will be able to:
Plan a strategy for monitoring and reporting ISA Server activities
Configure alerts to monitor intrusion detection
Configure logging to monitor ISA Server activity
Use reports to analyze ISA Server activity
Monitor ISA Server computer activity
Test the ISA Server configuration Module 8: Monitoring and Reporting Planning a Monitoring and Reporting Strategy Topic Objective Categorize Categorize the the information information that that you you need need to to collect collect To describe guidelines to consider when planning a monitoring and reporting strategy Determine Determine what what information information is is most most critical critical Lead-in Consider the following guidelines when you plan a monitoring and reporting strategy Document Document your your strategy strategy Create Create aa strategy strategy for for how how to to respond respond to to critical critical events events Create Create aa schedule schedule for for regular regular review review of of logs logs Design Design aa plan plan for for archiving archiving logs logs *****************************ILLEGAL FOR NON-TRAINER USE****************************** Consider the following guidelines when you plan a monitoring and reporting strategy:
Categorize the information that you need to collect, including the following items: • Real-time alerts • Trends of performance • Trends of security-related events
Determine the information that is the most critical, and then: • Configure real-time alerting for only the most critical issues • Review the logs frequently for events that may signal serious issues and that may require prompt, but not immediate, attention • Review all of the logs for important trends Ensure that your summary reports capture the information that is the most important to you
Document your strategy
Create a strategy for how to respond to critical events, such as: • Network security breaches • Denial of services attacks • Unusual usage patterns
Create a schedule for regular review of the logs
Design a plan for archiving the logs • You can use archived logs to discover trends, to investigate the source of future alerts, or for legal purposes ... learn about monitoring ISA Server activities by using alerts, logging, reporting, and realtime monitoring
Planning a Monitoring and Reporting Strategy
Monitoring Intrusion Detection
Monitoring. .. classroom network), and then press ENTER Module 8: Monitoring and Reporting Module Strategy Use the following strategy to present this module:
Planning a Monitoring and Reporting Strategy Begin... Professional and Server
Review the \sdk\bin\isasdk.chm file on the ISA Server compact disc iv Module 8: Monitoring and Reporting Instructor Setup for Lab Lab A: Monitoring and Reporting
To