Microsoft KB Archive/300504

= HOW TO: Configure Performance Counters and Logs to Monitor Unauthorized Attempts to Access Your Computer in Windows 2000 Server =

Article ID: 300504

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q300504



IN THIS TASK

 * SUMMARY
 * MORE INFORMATION
 * Configure a Counter Log to Monitor Unauthorized File Access and Logon Attempts
 * Configure Alerts to to Monitor Unauthorized File Access and Logon Attempts
 * REFERENCES



SUMMARY
This step-by-step article describes how to use the Performance Logs and Alerts service to create counter logs and alerts to monitor unauthorized attempts to access your computer in Microsoft Windows 2000 Server.

back to the top



MORE INFORMATION
You can configure counter logs in the Performance Logs and Alerts service to monitor the number of failed logon attempts and the number of failed attempts to access files on your computer. When you regularly examine counter logs, you may by able to detect some types of security violations before they succeed. You can also configure alerts to send a message and notify you if a potential security violation occurs. Alerts are critical security controls that help you perform real-time monitoring.

Note To perform the procedures that are described in this article, you must log on as Administrator or as a member of the Administrators group.

back to the top

Configure a Counter Log to Monitor Unauthorized File Access and Logon Attempts
 Click Start, point to Programs, point to Administrative Tools, and then click Performance Logs and Alerts. Expand Performance Logs and Alerts, and then click Counter Logs. Right-click an empty area of the right pane, and then click New Log Settings. In the Name box, type a name for the log, and then click OK. Click the General tab, click Add, and then click Use local computer counters. In the Performance object box, click Server, click Select counters from list, click Errors Access Permissions, and then click Add.</li> Click Errors Granted Access, click Add, click Errors Logon, click Add, and then click Close.</li> Click the Log Files tab, and then do the following: <ol style="list-style-type: lower-alpha;"> In the Location box, specify the location where you want to store the log files, for example, C:\PerfLogs.</li> In the File name box, type the name that you want for the log file.</li> Click to select the End file names with check box, and then click yyyymmdd.</li> In the Log file type box, click Text File - CSV.</li> Under Log file size, click Maximum limit.</li></ol> </li> Click the Schedule tab, specify the start and stop times for the counter log, and then click OK.</li> Right-click the log file that you just created, and then click Save Settings As.</li> In the File name box, specify a name and location where you want to save the .htm file, and then click Save.</li></ol>

back to the top

Configure Alerts to Monitor Unauthorized File Access and Logon Attempts
<ol> Click Start, point to Programs, point to Administrative Tools, and then click Performance Logs and Alerts.</li> In the console tree, expand Performance Logs and Alerts, and then click Alerts.</li> Right-click an empty area of the right pane, and then click New Alert Settings From.</li> In the Open box, click the .htm file that you created and saved earlier, and then click Open.</li> Click OK if you receive the message that you are creating an alert from a counter log.</li> In the Name box, type a name for the alert, and then click OK.</li> <li>Click the General tab, and then configure the following settings for each counter that is listed in the Counters box: <ol style="list-style-type: lower-alpha;"> <li>In the Alert when the value is box, click Over.</li> <li>In the Limit box, type the number of errors that can occur before an alert is generated.</li></ol> </li> <li>Click the Action tab, and then specify the action that you want to occur when an alert is triggered: <ul> <li>If you want the Performance Logs and Alerts service to create an entry in the Application log of Event Viewer when an alert occurs, click to select the Log an entry in the application event log check box.</li> <li>If you want the Performance Logs and Alerts service to trigger the Messenger service to send a message, click to select the Send a network message to check box, and then type the Internet Protocol (IP) address or name of the computer on which the alert message should appear.</li> <li>To start a counter log when an alert occurs, click to select the Start performance data log Send a network message to check box, and then specify the counter log that you want to run.</li> <li>To run a command or program when an alert occurs, click to select the Run this program check box, and then type the file path and name of the program or command that you want to run, or click Browse to locate the file.

When an alert occurs, the service creates a process and runs the specified command file. The service also copies any command-line arguments you define to the command line that is used to run the file. Click Command Line Arguments, and then click to select the appropriate check boxes to include the arguments that you want when the program is run.</li></ul> </li> <li>Click the Schedule tab, specify the start and stop times for the scan, and then click OK.</li></ol>

Important The counter does not monitor failed interactive logons at the console or through Remote Desktop Protocol (RDP). Instead, the counter only monitors server message block (SMB) communications logons (for example, when a user tries to open a file on the server but they lack permissions to the share). The Server object in Performance Monitor refers only to shares.

back to the top

<div class="references_section">