Contents Overview 1 Planning a Monitoring and Reporting Strategy 2 Monitoring Intrusion Detection 3 Monitoring ISA Server Activity 14 Analyzing ISA Server Activity by Using Reports 19 Monitoring Real-Time Activity 27 Testing the ISA Server Configuration 32 Lab A: Monitoring and Reporting 34 Review 41 Module 8: Monitoring and Reporting Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. Instructional Designer: Victoria Fodale (Azwrite LLC) Technical Lead: Joern Wettern (Independent Contractor) Program Manager: Robert Deupree Jr. Product Manager: Greg Bulette Lead Product Manager, Web Infrastructure Training Team: Paul Howard Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui, Ron Mondri, Thomas W. Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner Graphic Artist: Andrea Heuston (Artitudes Layout & Design) Editing Manager: Lynette Skinner Editor: Stephanie Edmundson Copy Editor: Kristin Elko (S&T Consulting) Production Manager: Miracle Davis Production Coordinator: Jenny Boe Production Tools Specialist: Julie Challenger Production Support: Lori Walker ( S&T Consulting) Test Manager: Peter Hendry Courseware Testing: Greg Stemp (S&T OnSite) Creative Director, Media/Sim Services: David Mahlmann CD Build Specialist: Julie Challenger Manufacturing Support: Laura King; Kathy Hershey Operations Coordinator: John Williams Lead Product Manager, Release Management: Bo Galford Group Manager, Business Operations: David Bramble Group Manager, Technical Services: Teresa Canady Group Product Manager, Content Development: Dean Murray General Manager: Robert Stewart Module 8: Monitoring and Reporting iii Instructor Notes This module provides students with the knowledge and skills to monitor Microsoft ® Internet Security and Acceleration (ISA) Server 2000 activities by using alerts, logging, reporting, and real-time monitoring. After completing this module, students will be able to:  Plan a strategy for monitoring and reporting ISA Server activities.  Configure alerts to monitor intrusion detection.  Configure logging to monitor ISA Server activity.  Use reports to analyze ISA Server activity.  Monitor ISA Server computer activity.  Test the ISA Server configuration. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the following materials:  Microsoft PowerPoint ® file 2159A_08.ppt.  The file C:\MOC\2159a\Labfiles\Lab09\portscan.cmd. Preparation Tasks To prepare for this module, you should:  Read all of the materials for this module.  Complete the lab.  Study the review questions and prepare alternative answers to discuss.  Anticipate questions that students may ask. Write out the questions and provide the answers.  Read “Configure Monitoring and Reporting,” “Monitoring and Reporting,” “Event Messages,” and “Performance Counters” in ISA Server Help.  Read Module 8, "Monitoring and Optimizing Performance in Windows 2000," in Course 2152B, Implementing Microsoft Windows ® 2000 Professional and Server.  Review the \sdk\bin\isasdk.chm file on the ISA Server compact disc. Presentation: 45 Minutes Lab: 30 Minutes iv Module 8: Monitoring and Reporting Instructor Setup for Lab Lab A: Monitoring and Reporting  To prepare for the lab: 1. Open a command prompt window. 2. At the command prompt, type cd C:\MOC\2159a\Labfiles\Lab8 3. When a student asks you during the lab to perform a simulated port scan attack, type portscan ip_address (where ip_address is the IP address of the student’s ISA Server computer on the classroom network), and then press ENTER. Module 8: Monitoring and Reporting v Module Strategy Use the following strategy to present this module:  Planning a Monitoring and Reporting Strategy Begin the module by describing the guidelines to consider when planning a monitoring and reporting strategy.  Monitoring Intrusion Detection When describing the different types of network intrusion, do not explain each attack in detail, but use one or two of them as examples. Emphasize that although ISA Server generates events when an intrusion attack occurs, ISA Server generates alerts only if you specifically configure ISA Server to do so. Do not cover all of the ISA Server events in detail. Instead, refer students to ISA Server Help for more information about specific events.  Monitoring ISA Server Activity Explain that logging to a database can centralize ISA Server logs and secure the log data. Emphasize that logging both allowed packets and blocked packets can cause a considerable load on the server and that you should enable logging for allowed packets for diagnostic purposes only.  Analyzing ISA Server Activity by Using Reports Explain that ISA Server reports require summaries of saved logs and that you can create an ISA Server report only after ISA Server has created at least one daily summary. Emphasize that if a server belongs to a multi- server array, the administrator generating the reports must have the appropriate permissions on each ISA Server computer in the array. Briefly display an example of each report format to illustrate the contents of the reports.  Monitoring Real-Time Activity Explain that the ISA Server real-time monitoring feature enables you to centrally monitor ISA Server computer activity, including the current sessions. Point out the ISA Server Performance Monitor on the Microsoft ISA Server menu.  Testing the ISA Server Configuration Explain that after configuring ISA Server, it is recommended that you test your configuration to ensure that ISA Server correctly enforces the security settings. Explain that you can use a third-party intrusion detection system or the applications that are included with Windows 2000 to test the ISA Server configuration. vi Module 8: Monitoring and Reporting Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Lab Setup The following list describes the setup requirements for the lab in this module. Setup Requirement 1 The lab in this module requires that ISA Server be installed on all ISA Server computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Perform a full installation of ISA Server manually. Setup Requirement 2 The lab in this module requires that the ISA Server administration tools be installed on all ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Install the ISA Server administration tools manually. Setup Requirement 3 The lab in this module requires that the Firewall Client be installed on all ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Install the Firewall Client manually. Important Module 8: Monitoring and Reporting vii Setup Requirement 4 The lab in this module requires that the all ISA Server client computers be configured to use the ISA Server computer’s IP address on the private network as their default gateway. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure the default gateway manually. Setup Requirement 5 The lab in this module requires that Microsoft Internet Explorer be configured on all student computers to use the ISA Server computer as a Web Proxy server. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure Internet Explorer manually. Setup Requirement 6 The lab in this module requires that Internet Information Services (IIS) be configured on all ISA Server computers to use Transmission Control Protocol (TCP) port 8008 for the default Web site. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure IIS manually. Setup Requirement 7 The lab in this module requires a protocol rule on the ISA Server computer that allows all members of the Domain Admins group to gain access to the Internet by using any protocol. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Create the rule manually. Setup Requirement 8 The lab in this module requires that packet filtering be enabled on the ISA Server computer. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 6, “Configuring the Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Enable packet filtering manually. viii Module 8: Monitoring and Reporting Lab Results Performing the lab in this module introduces the following configuration changes:  Intrusion detection is enabled.  Alerts are configured for port scanning.  Reports are created.  The ISA Server computer is published as a Network News Transfer Protocol (NNTP) server.  The ISA Server client computer is published as a Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) server. Module 8: Monitoring and Reporting 1 Overview  Planning a Monitoring and Reporting Strategy  Monitoring Intrusion Detection  Monitoring ISA Server Activity  Analyzing ISA Server Activity by Using Reports  Monitoring Real-Time Activity  Testing the ISA Server Configuration ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Without a monitoring and reporting strategy in place for a Microsoft ® Internet Security and Acceleration (ISA) Server 2000 computer, network administrators may be unaware of important events or trends, be confronted with a profusion of false alerts, or configure logs and reports that do not monitor the appropriate activities. By using alerts, logs, reports, and real-time monitoring effectively, network administrators can better manage the activities that can compromise the security or the performance of an ISA Server computer. In addition, network administrators can use specialized assessment tools to monitor network security. After completing this module, you will be able to:  Plan a strategy for monitoring and reporting ISA Server activities.  Configure alerts to monitor intrusion detection.  Configure logging to monitor ISA Server activity.  Use reports to analyze ISA Server activity.  Monitor ISA Server computer activity.  Test the ISA Server configuration. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about monitoring ISA Server activities by using alerts, logging, reporting, and real- time monitoring. 2 Module 8: Monitoring and Reporting Planning a Monitoring and Reporting Strategy Categorize the information that you need to collect Categorize the information that you need to collect Determine what information is most critical Determine what information is most critical Document your strategy Document your strategy Create a schedule for regular review of logs Create a schedule for regular review of logs Design a plan for archiving logs Design a plan for archiving logs Create a strategy for how to respond to critical events Create a strategy for how to respond to critical events ***************************** ILLEGAL FOR NON - TRAINER USE ****************************** Consider the following guidelines when you plan a monitoring and reporting strategy:  Categorize the information that you need to collect, including the following items: • Real-time alerts • Trends of performance • Trends of security-related events  Determine the information that is the most critical, and then: • Configure real-time alerting for only the most critical issues. • Review the logs frequently for events that may signal serious issues and that may require prompt, but not immediate, attention. • Review all of the logs for important trends. Ensure that your summary reports capture the information that is the most important to you.  Document your strategy.  Create a strategy for how to respond to critical events, such as: • Network security breaches. • Denial of services attacks. • Unusual usage patterns.  Create a schedule for regular review of the logs.  Design a plan for archiving the logs. • You can use archived logs to discover trends, to investigate the source of future alerts, or for legal purposes. Topic Objective To describe guidelines to consider when planning a monitoring and reporting strategy. Lead-in Consider the following guidelines when you plan a monitoring and reporting strategy. [...]... client applications, and destinations Application usage reports can help you to plan network capacity and determine bandwidth policies Application usage reports are based on the Firewall service logs 24 Module 8: Monitoring and Reporting Traffic and Utilization Reports Traffic and utilization reports display total Internet usage by application, protocol, and direction; average traffic and peak simultaneous... expand Monitoring, and then click Reports 2 In the details pane, right-click the applicable report job, and then click Save As 3 In the Save As dialog box, in the File Name box, type a name for the report, and then in the Save as type list, select Microsoft Excel Workbook (*.xls) Module 8: Monitoring and Reporting 27 Monitoring Real-Time Activity Topic Objective To identify the topics related to monitoring. .. incoming and outgoing requests and how ISA Server responded to these requests When you configure logging, ISA Server generates logs for each server in the array ISA Server includes logs for access and for security activity You can configure ISA Server to generate logs in several data formats and then analyze the logs for usage, performance, and security monitoring Module 8: Monitoring and Reporting. .. Management, in the console tree, expand Monitoring, expand Reports, and then click the report type that you want to save 2 In the details pane, right-click the applicable report job, and then click Save As 3 In the Save As dialog box, in the File Name box, type a name for the report, and then in the Save as type list, select Web Page (*.htm; *html) 26 Module 8: Monitoring and Reporting Saving Reports as Excel... during off-peak hours 22 Module 8: Monitoring and Reporting 5 Under Recurrence pattern, select the rate of recurrence for the report job 6 On the Credentials tab, in the Username box, type the name of a user with permissions to generate the report; in the Domain box, type the user's domain; in the Password box, type the user's password, and then click OK Module 8: Monitoring and Reporting 23 Using Predefined... expand Monitoring Configuration, right-click Report Jobs, and then click Properties 2 In the Report Jobs Properties dialog box, on the Log Summaries tab, select the Enable daily and monthly summaries check box 3 Select the ISASummaries folder or another folder as the location of the logs 4 Choose the number of daily and monthly summaries that ISA Server saves, and then click OK Module 8: Monitoring and. .. on the Web Proxy service logs, the Firewall service logs, and the Packet filter logs Module 8: Monitoring and Reporting 25 Viewing and Saving Reports Topic Objective To describe the procedures that you use to view and save reports Viewing Reports Lead-in Saving Reports Reports enable administrators to better understand their security settings and network usage Saving reports as Web pages Saving reports... array, expand Monitoring, and then click Sessions The sessions are listed in the details pane Disconnecting Sessions To disconnect a client session: 1 In ISA Management, in the console tree, expand Servers and Arrays, expand the applicable server or array, expand Monitoring, and then click Sessions 2 On the View menu, click Advanced 3 In the details pane, right-click the applicable session, and then... Click Database, and then confirm or modify the following parameters: • ODBC data source (DSN) • Table name • Use this account 4 On the Fields tab, select the fields that you want ISA Server to include in the logs, and then click OK Note For more information about the fields, see “Firewall and Web Proxy log fields” and “Packet Filter log fields” in ISA Server Help Module 8: Monitoring and Reporting 17... box, and then click OK 18 Module 8: Monitoring and Reporting Logging Allowed Packets To log allowed packets for all packet filters: 1 In ISA Management, in the console tree, right-click IP Packet Filters 2 In the details pane, click Configure Packet Filtering and Intrusion Detection, and then click Properties 3 On the Packet Filters tab, select the Log packets from 'Allow' filters check box, and then . (SMTP) and Internet Message Access Protocol (IMAP) server. Module 8: Monitoring and Reporting 1 Overview  Planning a Monitoring and Reporting Strategy  Monitoring. monitoring and reporting strategy. Lead-in Consider the following guidelines when you plan a monitoring and reporting strategy. Module 8: Monitoring and