Monday, December 14, 2009

ACS Noise Filter: Translating Windows 2003 Server Security EventIDs to those of Windows Server 2008 and the magic number 4096

When one implements an ACS Solution, a good working Noise Filter is a must in order to keep the ACS database under tight control. A correct working Noise Filter does not only keep the unneeded events (example: User X Logged On Successfully) out of the database, but keeps the database clean as well.

For setting Noise Filters much good documentation is to be found, like the ACS Noise Filter Guide from Secure Vantage. This guide is part of their ACS Resource Kit.
image

However….

All the documentation with the related Security Events which can be filtered out, are all based on Windows 2003 Server. But what if you are designing an ACS solution for Windows Server 2008 servers? Yes, you can apply the filter as stated in those very same documents. But it won’t work since the Security Events in Windows Server 2008 DO NOT MATCH with the Security Events in Windows 2003 Server!

So a translation of these Windows 2003 Server Security Events to those in Windows Server 2008 is at order. It took me some time, but finally I had all the needed resources in place: a webpage with all the Security Events of Windows 2003 Server, the ACS Noise Filter Guide from Secure Vantage AND the Excel sheet with all Windows Server 2008 Security Events.

But cross-referencing all these sources of information really takes a whole lot of time. Way too much actually. It took me 30 minutes to match 5 Security Events! So it was time for another approach.

When I took a closer look at the matching EventIDs which I had found, it seemed like those incremented by the same amount! Could it be? So I ran the calculator and this is what I did: EventID W2K08 – Matching EventID W2K03. And the number 4096 came out. I ran the same ‘formula’ against the other matching EventIDs and the same number came out!

Time for a test. I took a non-matched W2K03 Security EventID and add 4096 to it. Then I searched for that EventID in the Excel sheet for Windows Server 2008 Security EventIDs:
image
W2K03 EventID.

image
Adding 4096 to it.

image
The outcome.

image 
Looking up that EventID in the sheet for Windows Server 2008 Security EventIDs: BINGO!

Rule of Thumb:
When having issues with properly translating Windows 2003 Server Security EventIDs to Windows Server 2008, try to add 4096 to the EventID number as listed in Windows 2003 Server. Then look in the Excel sheet for Windows Server 2008 Security EventIDs whether there is a match. Many times there will be.

 

Disclaimer:
Windows Server 2008 IS NOT Windows 2003 Server. So many Windows 2003 Events are not found back in Windows Server 2008. So keep that in mind when using above mentioned Rule of Thumb.