Establish Baselines
You cannot determine which events require investigation as possible security incidents unless you know what is normal. Thus, the first step in detecting abnormality is establishing a baseline. If you know what is ordinary for your organization, it is easier to spot the unusual. For example, do you know how many logon failure events in the event log of a domain controller constitutes ordinary forgetfulness or error on the part of your users? Users will forget passwords and enter them incorrectly, so there will be failed logon events in the logs. If you know how many logon failures are typical, you won't be alarmed to see them but will correctly identify a sudden rise in logon failures as something to investigate immediately. ...
Get Windows Server 2003 Security: A Technical Reference now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
