RE: Monitor Services on Windows machines

From: Levinson, Karl (LevinsonK@STARS-SMI.com)
Date: 02/25/03

  • Next message: haji din: "Re: Monitor Services on Windows machines" 
    From: "Levinson, Karl" <LevinsonK@STARS-SMI.com>
To: 'MOHESOWA BYAS ' <byasmohesowa@sbm.intnet.mu>, "'focus-ms@securityfocus.com '" <focus-ms@securityfocus.com>
Date: Tue, 25 Feb 2003 06:50:56 -0500

    Monitoring can be done remotely.

    My preferred tool to do this and much more would be www.ipsentry.com Costs
    around $100 US plus around $20 for the plug in to monitor Windows event
    logs. Like some other tools, it can page you, email you, send you a NET
    SEND windows popup, etc. It can also test certain services like DNS, HTTP,
    SMTP, etc. to confirm they are actually responding. And, you also get
    notified if an event happens that interferes with the service without
    writing an event to the Windows log [if for example the server stops
    responding to pings]. Monitored items are set up in a hierarchy, so that if
    a router stops responding to ping, IPSentry knows not to also send you
    hundreds of alerts for all the devices that you are monitoring behind that
    router. Note that searching log files remotely like this using any tool can
    hog resources, depending on how much you monitor, so we found it beneficial
    to run IPsentry on a dedicated computer in the corner.

    With Windows 2000 / XP, you could also consider using the restart options in
    the service properties to run a batch file or a NET SEND or BLAT when the
    service stops. You also have the option to automatically restart the
    service as well.

    You could also do this yourself for free by writing a batch file that uses
    DUMPEL from the Microsoft Windows Resource Kits or the free PSList /
    PSLogList from www.sysinternals.com You write a batch file that runs every
    x minutes for example using WAIT.EXE found from www.google.com, dumps any
    events from the log that match a certain error code to a text file, and then
    use FC or something similar to compare that text file to the copy of the
    text file from the last time the batch file ran. Use BLAT to email you if
    necessary. This is cruder and probably wouldn't be ideal for monitoring
    lots of services, but it's free. I found DUMPEL to be somewhat unreliable
    when run remotely, so you may want to run the batch file locally on each
    computer where services are being monitored.

    You might consider changing the permissions on the services in Windows 2000
    / XP by launching MMC and adding one of the snapins [believe it's the
    Security Templates snapin]. Once you create a security template that
    changes the permissions on the services, you should be able to automate
    pusing those settings out to multiple Windows 2000 / XP machines. You can
    do this by importing that template either into the domain group policy
    [believe this is in the MMC, Active Directory Users and Computers snapin] or
    if that is not an option, push the settings out by using the SECEDIT and AT
    commands to import the template into a security database and then apply the
    database on all the necessary computers. This is perhaps better than just
    monitoring services alone.

    You may also want to turn on auditing, because without this, you don't know
    and can't prove who if anyone stopped a service, whether the service just
    crashed by itself, etc. This auditing can probably be turned on using the
    Security Templates snapin above and then by also using the URLs mentioned in
    the article below:

    http://securityadmin.info/faq.htm#auditing

    As you may know, if the users are in the Administrators group on the
    computer in question, they can undo anything you can do, and it's difficult
    or impossible to reliably restrict them.

    HTH

    -----Original Message-----
    From: MOHESOWA BYAS
    To: focus-ms@securityfocus.com
    Sent: 2/21/2003 4:29 AM
    Subject: [despammed] Monitor Services on Windows machines

    Hi,
    Is there a way to monitor if services on Win 2K Professional machines
    have been stopped or started? Can monitoring be done remotely?

    Aim is to monitor that users do not shutdown or start services that they
    are not supposed to.

    Relevant Pages

    • RE: Monitoring and Reporting not working
      ... I understand that Monitoring and reporting ... Specify "Windows SharePoint Services" as the Extension name. ... Program Files\Common Files\Microsoft Shared\web server ... please try to reinstall monitoring component ...
      (microsoft.public.windows.server.sbs)
    • Re: SBS 2003 Usage Report
      ... Rerun the Setup Monitoring Reports and Alerts Wizard ... | Usage Report] with Terence Liu ... | Downloading and Installing Windows Small Business Server 2003 Service ...
      (microsoft.public.windows.server.sbs)
    • RE: Server Status Report not working
      ... Using Microsoft Exchange Server 2003 Recovery Storage Groups ... Documentation by Alphabetical List for Windows Small Business Server 2003 ... Server Status Report not working ... Click Monitoring and Reporting. ...
      (microsoft.public.windows.server.sbs)
    • Re: Performance Reports on 2003 R2
      ... Windows Small Business Server\Monitoring, click Permission tab, and then ... reinstall the monitoring and this instance. ... Select Windows Small Business Server 2003 and then click Change/Remove. ... select Microsoft SQL Server Desktop Engine ...
      (microsoft.public.windows.server.sbs)
    • RE: Performance Reports on 2003 R2
      ... I am not sure how you uninstall and reinstall the reporting, ... Windows Small Business Server\Monitoring, click Permission tab, and then ... reinstall the monitoring and this instance. ...
      (microsoft.public.windows.server.sbs)