Configure LEM to monitor Windows domain controllers for brute force hacking attempts

Monitor your Windows domain controllers using the SolarWinds LEM Agent. After you install and configure the Agent, the software tracks brute force and other types of hacking attempts to your domain controllers and report all events to the LEM Manager.

These events include:

  • Unauthorized access to your administrative accounts
  • Failed logon attempts
  • Account lockouts
  • User and group modification
  • Change management events

Install the SolarWinds LEM Agent on all domain controllers to ensure the LEM Manager captures all your domain events (even if they are not replicated across all domain controllers).

You can view the events in the LEM console using the change management filter and create custom filters to report all activity on your domain controllers.

Install and configure the LEM Agent

When you install the LEM Agent, you have the option to install USB Defender. This application works together with the LEM Agent to provide real-time notification when a USB drive is installed in your domain controller server. By default, USB Defender generates events related to USB mass storage devices attached to your LEM Agents.

For additional security, Microsoft implemented a method in their operating system to log security events. As a result, SolarWinds LEM Agents on systems running Windows Server 2008, Windows Vista, or Windows 7 require different connectors than the Agents running on systems with the legacy Windows operating systems.

If you are running both old and legacy Windows operating systems in your environment, create a connector profile for each operating system.

For LEM Agent software and hardware requirements, see the LEM 6.6 system requirements in the LEM Installation Guide.

Install a LEM Agent on a single Windows domain controller

  1. Download the SolarWinds LEM Agent installer for Windows from the SolarWinds Customer Portal.

  2. Extract the ZIP file contents to a local or network directory.

  3. Run Setup.exe.

  4. To start the installation wizard, click Next.

  5. Accept the End User License Agreement if you agree, and then click Next.

  6. In the Manager Name field, enter the host name of your LEM Manager, and then click Next.

    Do not change the default port values.

  7. Confirm the Manager Communication settings, and then click Next.

  8. (Optional) To install USB Defender with the LEM Agent, select the check box.

  9. Confirm the settings on the pre-Installation summary, and then click Install.

  10. When the installation is complete, click Next to start the LEM Agent service.

  11. Inspect the Agent log for any errors, and then click Next.

  12. To exit the installer, click Done.

  13. The LEM Agent is installed on your system and begins sending events to your LEM Manager and LEM console.

    The LEM Agent continues running on your system until you uninstall the software or manually stop the LEM Agent service.

Configure additional connectors on your LEM Agent

  1. Open the LEM console. See Log in to the LEM web console or Log in to the LEM desktop console for steps.

  2. On the LEM toolbar, navigate to Manage > Nodes.

  3. In the list, locate the LEM Agent.

    Use the Refine Results pane, if needed.

  4. Next to the LEM Agent, click , and then select connectors.

  5. Locate and select the connector you want to configure.
  6. Use the Refine Results pane if needed.

  7. Next to the connector, click , and then select New.

  8. Modify the connector (if required), and then click Save.

  9. Next to the new connector instance, click (indicated by an icon in the Status column), and then select Start.

  10. To close the Connector Configuration window, click Close.

  11. Configure the following connectors that apply to your installation on your Windows domain controllers:
    • Windows Directory Service Log
    • Windows DNS Server Log
    • Windows DHCP Server version

Maintain and monitor multiple domain controller Agents

Connector Profiles help you maintain and monitor multiple domain controllers in your LEM console. You can use these profiles to configure and modify connector settings at the profile level, as well as provide a group you can use to filter incoming event traffic from your LEM Agents to your LEM console.

Create a connector profile based on a single SolarWinds LEM Agent

Follow this procedure to create a connector profile based on a single LEM Agent and a corresponding filter to monitor activity on all systems in the profile.

  1. Install the LEM Agent software on all systems you want to include in your new connector profile.

  2. Configure a single LEM Agent to serve as the template for your connector profile.

  3. On the LEM toolbar, navigate to Build > Groups.

  4. Click , and then select Connector Profile.

  5. Enter a profile name and description.

  6. From the Template list, select the new LEM Agent, and then click Save.

  7. In the Groups list, locate your new connector profile.

    Use the Refine Results pane if needed.

  8. Next to your connector profile, click , and then select Edit.

  9. In the Available Agents pane, locate the SolarWinds LEM Agents you want to add to your connector profile.

  10. Click the arrow next to each LEM Agent you want to add to the Contained Agents pane.

  11. When complete, click Save.

Create a filter for all activity in a Connector Profile

  1. Open the LEM console and log on to the LEM Manager as an administrator or auditor.

  2. On the LEM toolbar, click Monitor.

  3. In the filters pane, click , and then select New Filter.

  4. Enter a Name and Description for the filter.

  5. In the Filter Creation list, click Event Groups.

  6. Click Any Alert.

  7. In the Fields: Any Alert list, drag DetectionIP into the Conditions box.

  8. In the Filter Creation list, click Connector Profiles.

  9. Drag your connector profile into the Conditions box, replacing the Text Constant field denoted by a pencil icon.

  10. Click Save.

Clone and enable the Critical Logon Failures rule

Clone and enable the Critical Account Logon Failures rule to track failed logon attempts to the default Windows Administrator account. The default action for this rule is to generate a HostIncident event, which you can use in conjunction with the Incidents report to notify auditors you are auditing the critical events on your network.

  1. Open the LEM console and log on to the LEM Manager as an administrator.

  2. On the LEM toolbar, navigate to Build > Rules.

  3. In the Refine Results pane search box, enter Critical Account Logon Failures.

  4. Next to the rule, click , and then select Clone.

  5. Select the folder where you want to save the cloned rule, and then click OK.

  6. In the Rule Creation window, select Enable, and then click Save.

  7. On the main Rules screen, click Activate Rules.

    The rule is enabled.

Tune Windows Logging for LEM implementation

After you install and configure your LEM Agents, optimize your LEM deployment by tuning your Windows operating system to log the specific events you want to see in your LEM console and store in your LEM database. Set your group and local policies according to your environment requirements. See Configure Windows audit policy for use with LEM for more information.