Why Workstation Log Management is Crucial for Network Security

As system and security admins, we tend to monitor server logs in order to understand various system activities so we can isolate faults, security breaches and policy violations. However, it’s also necessary to explore workstation logs for advanced system and user activity monitoring.

Workstations are arguably one of the most vulnerable entities on your network. They process content from the Internet and email, they come in contact with infected files, external mass storage devices, and can connect to insecure networks over Wi-Fi.

Workstations generate a wealth of log data that provides detailed event information from the endpoint perspective. While server logs remain paramount to monitoring system and user activity, monitoring workstation logs in addition to server logs makes event analysis and user activity awareness even more comprehensive and actionable.

So, What Makes Workstation Logs Vital for Network Security?

There are various security events that can only be understood with the help of log data generated by workstations. These security events include:

  • System User Logoff – This is information that only a workstation would store. To monitor user logons, we can study the logs from the domain controller (DC) that processes the initial authentication when a user logs on to a workstation. But after the logon event, the DC doesn’t have visibility over user activity. The only component on the network that logs the user logoff data is the workstation.

  • Local Account Logon/Logoff – These are crucial events that the DC doesn’t capture. There can be local accounts within a workstation that are prime targets for hackers. As local accounts are often poorly secured, and the DC doesn’t provide data on user logon and logoff, they are prone to account breach. Because the authentication is being handled locally by the workstation, the event is only logged locally. For example, WindowsRegistered systems store this under event ID 4776.

Some Vital Error Codes Found in Windows Workstation Logs for Event ID 4776:

Windows Event Log Table.PNG

  • USB Connections to Workstations – These connections cannot be monitored by the server’s DC. Windows does not audit when devices or removable storage like flash drives are connected or disconnected. Only the workstation logs will provide information on when a USB or mass storage device was connected, by whom, whether the connection was authorized, etc. Based on this information, you can use a security information and event management (SIEM) system to respond to an illegal USB connection, and shut down the device, disable the port, or shut down the system.

 

  • End-user Desktop Programs – It’s crucial to monitor these programs running on your workstations. When a malicious executable is run by the user on the workstation, it can lead to potential advanced persistent threats (APT). The domain controller doesn’t log the programs running on end-user systems. It’s only the workstation logs that provide visibility into what programs a user ran and for how long.

Workstation logs are the easiest means of event awareness that can be used to monitor end-user activity on enterprise workstations, and provide a rich array of security event information. This information will help you create an enterprise audit trail, perform forensics and root cause analysis, and detect threats.

SolarWinds Log & Event Manager for Workstation Log Management

SolarWinds Log & Event Manager (LEM) is a full-function SIEM solution that extends comprehensive log collection, correlation, analysis, and incident response to both servers and workstations.

LEM.PNG

SolarWinds LEM also has out-of-the-box system-based and user-based active responses to counter threats, troubleshoot issues, and react to policy violations on your workstations.

Some useful Active Responses include:

  • Delete User Account and User Group
  • Disable Domain and Local User Account
  • Log Off User
  • Disable Windows Machine Account
  • Restart/Shutdown Machine
  • Block IP Address
  • Disable USB devices
Thwack - Symbolize TM, R, and C