Access Denied: Monitoring Security with Custom MMC Consoles

Every day, I check all servers I manage for security events. When I make my rounds, I have to connect to each computer individually and redefine the Event Viewer filters. Do you have a better approach?

The solution is to build a custom Microsoft Management Console (MMC) console and use the MMC Event Viewer snap-in's New log view feature. First, create a new console by clicking Start, Run, then typing

mmc

and clicking OK. Select Add/Remove Snap-in from the File menu and click Add in the Add/Remove Snap-in window. In the Add Standalone Snap-in window, select Event Viewer from the list of available snap-ins and click Add. In the Select Computer window, select the Another computer check box and enter the name of one of your servers, then click Finish. Click Close, then click OK. Repeat this procedure to load a copy of the Event Viewer snap-in for each server you manage, as Figure 1 shows.

Next, expand Event Viewer for a server in the treeview pane, right-click the Security log, and select New Log View. MMC creates a new view of the Security log called Security (2). Right-click Security (2) and rename it to reflect the first type of event you regularly check for. For example, you might name the view Account Lockouts. Right-click the view again and select View, Filter. On the Filter tab, define the filter according to your needs. For example, to filter for account lockouts, enter 644 in the Event ID field, then click OK. Add another view to the instance of Event Viewer for each type of security event you want to monitor for on that server.

Select the other Event Viewers one by one and create Security log views for the types of security events you want to monitor on that server. After you create all your views, select Save As from the File menu and save the console in a place that you can find it later. Finally, create a shortcut to the new console on the Start menu. When you open the console, you'll be able to access the logs and customized views you created.

One of my favorite views on all types of computers shows failed logon attempts. To configure this view, select the Failure audit check box on the Filter tab, then choose Security from the Event source drop-down list and Logon/Logoff from the Category drop-down list, as Web Figure 1 (http://www.winnetmag.com/windowssecurity, InstantDoc ID 41574) shows. This view shows all failed attempts to log on to the computer either interactively or over the network. For domain controllers (DCs), I also like to create a view that shows failed authentication attempts, which filters for Failure audits for the Account Logon category. This view shows all failed attempts to log on through a domain account in the entire domain, whether the attempted logon used Kerberos or Windows NT LAN Manager (NTLM). You need to create and monitor this view on each DC. You can keep up with new users being added to groups in your domain by creating three views—New Members in Global Groups, New Members in Local Groups, and New Members in Universal Groups—and filtering for event IDs 632 (global group member added), 636 (local group member added), and 660 (security enabled universal group member added), respectively.