RE: Monitor Services on Windows machines

Monitoring can be done remotely.

My preferred tool to do this and much more would be www.ipsentry.com Costs around $100 US plus around $20 for the plug in to monitor Windows event logs. Like some other tools, it can page you, email you, send you a NET SEND windows popup, etc. It can also test certain services like DNS, HTTP, SMTP, etc. to confirm they are actually responding. And, you also get notified if an event happens that interferes with the service without writing an event to the Windows log [if for example the server stops responding to pings]. Monitored items are set up in a hierarchy, so that if a router stops responding to ping, IPSentry knows not to also send you hundreds of alerts for all the devices that you are monitoring behind that router. Note that searching log files remotely like this using any tool can hog resources, depending on how much you monitor, so we found it beneficial to run IPsentry on a dedicated computer in the corner.

With Windows 2000 / XP, you could also consider using the restart options in the service properties to run a batch file or a NET SEND or BLAT when the service stops. You also have the option to automatically restart the service as well.

You could also do this yourself for free by writing a batch file that uses DUMPEL from the Microsoft Windows Resource Kits or the free PSList / PSLogList from www.sysinternals.com You write a batch file that runs every x minutes for example using WAIT.EXE found from www.google.com, dumps any events from the log that match a certain error code to a text file, and then use FC or something similar to compare that text file to the copy of the text file from the last time the batch file ran. Use BLAT to email you if necessary. This is cruder and probably wouldn't be ideal for monitoring lots of services, but it's free. I found DUMPEL to be somewhat unreliable when run remotely, so you may want to run the batch file locally on each computer where services are being monitored.

You might consider changing the permissions on the services in Windows 2000 / XP by launching MMC and adding one of the snapins [believe it's the Security Templates snapin]. Once you create a security template that changes the permissions on the services, you should be able to automate pusing those settings out to multiple Windows 2000 / XP machines. You can do this by importing that template either into the domain group policy [believe this is in the MMC, Active Directory Users and Computers snapin] or if that is not an option, push the settings out by using the SECEDIT and AT commands to import the template into a security database and then apply the database on all the necessary computers. This is perhaps better than just monitoring services alone.

You may also want to turn on auditing, because without this, you don't know and can't prove who if anyone stopped a service, whether the service just crashed by itself, etc. This auditing can probably be turned on using the Security Templates snapin above and then by also using the URLs mentioned in the article below:

http://securityadmin.info/faq.htm#auditing

As you may know, if the users are in the Administrators group on the computer in question, they can undo anything you can do, and it's difficult or impossible to reliably restrict them.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

HTH -----Original Message-----
From: MOHESOWA BYAS
To: focus-ms@securityfocus.com
Sent: 2/21/2003 4:29 AM
Subject: [despammed] Monitor Services on Windows machines

Hi,
Is there a way to monitor if services on Win 2K Professional machines have been stopped or started? Can monitoring be done remotely?

Aim is to monitor that users do not shutdown or start services that they are not supposed to. Received on Tue Feb 25 13:10:17 2003