Microsoft System Center can ease network security fright

The night is so dark, it sticks to your skin. The young geek wanders lost through thick foliage, branches grabbing his sleeves, the glow from his pitiful penlight only serving to accentuate the crushing blackness all around. Suddenly branches snap under mysterious feet somewhere ahead, his heart base jumps into his mouth, and he nearly swallows his penlight in a vain attempt to stay hidden.

“Would you like a cookie, dear?” It’s his mom with a tray of fresh-baked Toll Houses. He was in his backyard the whole time.

Sure, that might have been me on a Cub Scout campout, but too often, that’s exactly what network security means to a harried administrator. With all kinds of real-life problems on your mind, monitoring security just isn’t a day-to-day concern. Then suddenly something happens — a crash, a slowdown, a server that sounds like R2-D2 with gas. The physical checks turn up nothing, so suddenly the dreaded “What if…?” comes to mind. And then you’re wandering the midnight forest with a penlight, trying to scratch up enough security expertise and data to make any kind of guess at what the problem might have been. Meanwhile, your useless supervisor turns into Jiminy Cricket, perched on your shoulder chirping his little mantra in your ear, “If only you’d paid more attention to security. If only…”

Well, swat the little insect. With a little forethought, a little planning, and a little automation, you can turn that midnight terror trudge into a calm garden stroll — or at least give yourself a bigger flashlight. On the Microsoft side, do yourself a favor and actually read the documentation on reporting. Microsoft has done loads of work on its reporting engine, yet most administrators dump this stuff right away because it’s too much work, the learning curve is in the way, and it usually involves asking your boss for a SQL Server box and license. Well, bite the bullet, dent the budget, and RTFM (read the effing manual) because combined with platforms such as System Center, a regular schedule of reports can save your life when you’re hunting the network for a bad-guy bug.

Even something as basic as System Center Essentials (SCE) 2007 (the SMB version of the full System Center package) has upward of 30 prepackaged reports ready to run. And if you take the time to become a true aficionado of the platform, you can create custom reports, no trouble. All you need is SCE on the front and a SQL Server 2005 box on the back — and some quality time with your schedule. Out of the box, pick summary reports — stuff that lets you see what’s connected to the network and as many view slices of what’s on the network as you can comprehend. Then schedule them. SCE will run these automatically and store them. You just pick a day each week (or month if you like living on the edge) to run a manual set of these checks, then compare them across stored history. While you’re at it, purge history that’s too old to be useful and spare your server from choking.

Don’t want to spring for SCE? There are plenty of open source tools that will do a decent job of auto-monitoring a Windows network, too. One I saw in action recently was the Osiris host integrity monitoring tool. Its capabilities aren’t as broad as SCE’s, but it does a great job of watching your file system. Osiris takes periodic snapshots of your file system and stores them in its own database. It also sends alerts when it thinks something isn’t kosher. It needs its own box and that, in turn, needs to be restricted to security personnel only, but it’s a great tool for what it does. Combine this with other packages, such as Snort, and you’ll get a holistic view of your network’s security situation — you just won’t get it from a single console such as SCE.

For the do-it-all administrator, security monitoring is like backup. It’s a pain in the posterior, so you want to devote as little time to it as possible. But you’d better devote some time because if it’s not there when you need it, you’ll be typing a resume. So do a little extra homework. Read up on the logging capabilities of your current servers and figure out how to best automate that information. Then look at those logs and make sure you can understand them. Then check into an overlying monitoring solution such as the ones mentioned above.

When you’re chasing that errant bot, bug, or bastard running roughshod across your wires, knowing what’s supposed to be running, where it’s supposed to be running, and how much of the pipe it’s supposed to be using is knowledge worth its weight in Ring Dings and iPhones.