Centralized SRP Event Auditing

Application Whitelisting technologies such as Software Restriction Policies or AppLocker provide a great level of protection against malware and unwanted software. When blocking launch of an unwanted program, the policy generates a record in the Application Log on a local computer. This allows an administrator to maintain security for a given system and perform policy updates, if needed. However, examining event logs on multiple computers requires too much administrative effort, thus making auditing reactive, not proactive. You can greatly improve control over Application Whitelisting policies by configuring an automatic notification mailing when a particular event is written to the log.

Automated notifications enable you to achieve the following objectives:

• quickly respond and update policies in case line-of-business applications were found blocked during initial Application Whitelisting implementation within a domain;
• track policy violation attempts;
• detect and react to execution attempts of malware received from Internet, flash drives, and other sources.

—

On Windows Vista/7/8, notificaton system is represented as simply as a Task Scheduler job with the following parameters:

• User Account: SYSTEM, Do not store password;
• Run whether user is logged on or not; Run with highest privileges;
• Trigger: On an Event, Log: Application, Event ID: 865;
• Action1: Start a program, CMD /c wevtutil.exe qe Application “/q:*[System [(EventID=865)]]” /f:text /rd:true /c:1 > C:\Windows\EventDetails.txt
• Action2: Start a program, BLAT C:\Windows\EventDetails.txt -f eventlog@MyCompany.com -to support@MyCompany.com -subject “EventLog Monitor – SRP Events” -server Mail.MyCompany.com

There is no BLAT command in Windows, it is a separate command-line freeware downloadable from http://www.blat.net. Basically, you can implement built-in Send an e-mail Task Scheduler action type, but the only way to forward event details is to attach some text file. In contrast, BLAT allows you to extract event details directly into the message body.

You don’t need to create this task on each computer manually. To make things much more easier, you may implement Group Policy Preferences, which enable you to create task in Task Scheduler, and copy BLAT.EXE to all target workstations and servers with quite a few clicks. With the appearance of Event 865 in Application Log, task is triggered, and event details are extracted from the log, then forwarded to a pre-configured mailbox.

—

On Windows XP/2003, task is triggered in a different way. Instead of Task Scheduler, you create notification job by executing EVENTTRIGGERS command;

EVENTTRIGGERS /Create /TR “EventLog Monitor – SRP Events” /RU “SYSTEM” /L Application /EID 865 /TK “C:\Windows\EventLogMonitor-SRP.bat″

Then, a reaction on event is programmed in EventLogMonitor-SRP.bat file as follows:

CSCRIPT C:\Windows\System32\eventquery.vbs -l Application -fi “ID eq 865″ -R 1 -v > C:\Windows\EventDetails.txt
BLAT C:\Windows\EventDetails.txt -f eventlog@MyCompany.com -to support@MyCompany.com -subject “EventLog Monitor – SRP Events” -server Mail.MyCompany.com

Both CSCRIPT command and VBS-file are built-in into operating system. To schedule triggers, I would recommend you to implement EVENTTRIGGERS command as a part of Startup Script in a domain policy. To target policy to particular OS versions, you may want to implement WMI filter:

SELECT * from Win32_OperatingSystem WHERE Version like «5.%»

—

Frankly, you may easily extend your inexpensive monitoring solution by including additional event types — for example, Account Lockout (XP/2003: EventID=644, Log:Security; Vista/7/8: EventID=4740, Log:Security). Just give it a try!