Workstation monitoring is a crucial aspect of comprehensive network security that is sometimes overlooked. Threats to your workstations come in a variety of forms and can open the possibility of a breach or intrusion into your corporate network. Some common
threats to workstation security include your setup being exploited, credentials being stolen, unauthorized access being gained, and confidential data being stolen via USBs and other mass storage devices. These are just a few of the many impending threats faced by security teams that can upset important IT security policies and regulations.


With its many built-in Active Responses, SolarWinds Log & Event Manager (LEM) can help combat critical workstation security threats lurking in your network. LEM's Active Responses are automated and programmed to react in real time and counter anomalies, threats, and policy violations—all without requiring human intervention to confirm or activate any action.


Let’s discuss some useful Active Responses that LEM offers out of the box for workstation security and management.


#1 Kill Suspicious and Unapproved Processes


There are instances when unknown applications and processes are running on the background on your enterprise workstations. While some of these may be harmless, there are other rogue processes that are potentially dangerous and can infect your terminals. You need to be alerted in real time when such suspicious and unauthorized processes are running on the endpoints, and be able to automatically kill them.


LEM Active Response: The Kill Process Active Response enables LEM to automatically kill a suspicious or unapproved process by name or ID. According to the value in the ProcessID field of the corresponding LEM alert, LEM kills the process:

  • By ID when the ProcessID value is a number
  • By Name when the ProcessID value is a name



#2 Disable Networking on Infected Workstation


Once a workstation is infected, it’s highly possible that the infection will spread and affect other systems on the network. The wise security action would be to disable networking on the infected workstation from the network at the NIC card level. This helps quarantine the offending workstation and isolate it from the network.


LEM Active Response: Use the Disable Networking Active Response to disable networking on a workstation at the Windows® Device Manager level. This action is useful for isolating network infections and attacks, and can be automated in an LEM rule, or executed manually from the Respond menu in the LEM Console.



#3 Remove Unapproved Users from Administrative Group


As the IT administrator, you need to ensure only approved users are part of the Local Admins administrative group. If any ill-intentioned employees or unapproved users gain access, you should be able to remove them from the administrative group or AD. Based on where the unapproved user is identified, whether at the domain level or at the local level, you should be able to remove the user automatically.


LEM Active Response: LEM uses a Windows Active Response tool based on where you want to remove the user(s) from—the domain level or local level. This tool configures an actor that enables Windows Active Response capabilities on LEM Agents deployed Windows operating systems.



#4 Detach Unauthorized USB Device


Intentional or unintentional loss of sensitive information from enterprise workstation endpoints is a grave threat that security practitioners must address. USB devices can be used to steal corporate data and introduce malware or spyware into the workstation. Whenever unauthorized USB access is detected on the network, the USB device should be automatically disabled from the workstation. Some common use cases of dangerous USB activity on the network are:


  • When a computer endpoint gains unauthorized USB access
  • When an authorized USB port logs suspicious user activity
  • When unwarranted data transfer happens between an enterprise computer and USB drive
  • When USB access on a USB port becomes non-compliant with organizational policies
  • When a USB end point is affected and needs to be quarantined


LEM Active Response: The Detach USB Device Active Response allows you to automatically detach a USB or mass storage device from a workstation. This action is useful for allowing only specific devices to be attached to your Windows computers or detaching any device exhibiting suspicious behavior.



SolarWinds Log & Event Manager can additionally detect unexpected or inappropriate network activity, identify isolated spikes in network traffic, proxy, or file activity, and send a popup to the workstation notifying the user that’s been spotted. In addition, there are multiple other built-in computer-based and user-based Active Responses available in LEM that will help you protect your workstations from user misbehavior or policy violation.


Leverage the new LEM Workstation Edition for more scalable workstation log management.