Analecta Cyber Company Blog: Managing Remote Access Logs: Tracking Authorized Users to Limit Unauthorized Access

2018-04-17

Managing Remote Access Logs: Tracking Authorized Users to Limit Unauthorized Access

Managing Remote Access Logs - Tracking authorized users to limit Unauthorized access - Analecta banner graphics Remote access to systems eases many administrative and employee functional burdens, but comes at a high risk as it can inadvertently provide access to hackers. We discuss how to best detect early adversary activity to your business systems via remote access and review several best practices: out-of-band logging, remote log forwarding and log auditing.

Why do we need to log events? 

 

Companies that allow their employees unmonitored access to remote resources are at risk for data loss due to accidental abuse of the remote connection or malicious attacks against vulnerabilities of a system with remote access enabled. Event logging enables you to detect anomalies and determine their root cause. Even with logging, anomalies cannot be detected unless logs are being audited. As you begin to add remote access log auditing, automation and visualization, identifyinging activity outside the “norm” will become more apparent. In turn, you will be able to detect anomalies at an early stage and prevent malicious activity - before it becomes costly your organization!

Managing remote access with out-of-band logs


As we have discussed, using the Principle of Least Privilege (PoLP) when granting permissions and accesses helps to keep your system secure by reducing risk. The privilege of remote access should similarly be limited to only those that specifically require it to do their job. Remote access may be restricted to IT staff who need to troubleshoot devices or repair issues. These staff members should already have a process for documenting how and when they access devices remotely, such as a spreadsheet or a trouble ticket system like Jira or Remedy. When recorded separately from the system logs, this is called out-of-band logging.

If you decide to allow other employees the option of remote access, it should be required that they also log their access using out-of-band logs using a shared spreadsheet, a Google form, or a pen and notebook. IT staff can then verify server logs against employee remote access logs to identify if unauthorized access is occuring.

Remote log forwarding


We mentioned one type of logging in this article already, manually logging remote access connections with out-of-band methods, but in order for that to be meaningful, logs on the device such as Event Logs need to be enabled and managed. Here are several helpful, actionable and informational recommendations to maximize your ability to detect anomalies or unauthorized access:
  1. Use Event Log subscription/forwarding to centralize host logging. Windows servers can be configured to forward events to a “subscribing” server, becoming a central repository for Windows logs from other servers on the network. This makes it easier to monitor events without having to connect to individual servers.
  2. Set up Windows Event Log subscription service. If you know all of the devices on your network that you plan to log, you can use the collector-initiated subscription. Alternatively, source-initiated subscriptions allow technical support staff to set up an event collector computer without defining the event source computer. When computers come on board, they can be forced to send events to the collector machine using a group policy setting, which is easier to manage.
  3. Filter logs for remote logons. There are a vast number of Event IDs that can be collected as part of your company’s logging efforts. Two specific IDs that can be used to identify remote logins are:

    Windows Security Log Event ID 4624 - An account was successfully logged on
    or  
    Windows Security Log Event ID 4625 - An account failed to log on

  4. Use real-time dashboards  or recurring management scripts to create reports about remote logins. ELK is an open-source log collection, analytics and visualization tool that can be used to analyze daily, weekly and monthly reporting about your remote logins. Automation can help you detect patterns over time to tell a more complete story. Using visualizations when viewing the data will help you identify trends.
When these four things are in place, it is easy to see the disparity between the employee-logged remote access and the machine-recorded or automated log remote access. Any deviations between the logs should be investigated to determine if it is authorized access, employee error or a potential cyber attack.

Analecta LLC Graphic - Managing Remote Access Logs - Tracking Authorized users to limit unauthorized access
Screenshot of a Microsoft Windows Security Auditing Event for a successful logon. Comparing against a secondary log can help identify the origin of the logon and whether it is an authorized user or a potentially malicious visitor.

 

Regular auditing of logs


When possible, use software that will allow for real-time auditing and alerts. Having a dashboard up on the screen that can show who was logged on within the past hour/day/week is great when you are using a shared resource to conduct out-of-band logs. However, if that’s not feasible for your company, set a schedule for recurring audits and stick to it! Any regularly recurring audit is better than not auditing at all.

How can Analecta equip you for success? 


Remote access is convenient and can save your organization money by allowing a flexible use of resources. Therefore, the goal isn’t to eliminate remote access as much as it is to have proper accounting for its use. If you need expert advice on how to implement remote access monitoring on your company’s system or wish to consider a more complete cybersecurity program for your company, contact us.

Analecta Cyber brings decades of expertise implementing secure information systems based on the NIST Cybersecurity Framework guidelines. Using industry-standards and a holistic approach, our 96-point Analecta Cyber Risk Assessment can show you how to minimize or even eliminate the risk of data breaches that can cause customer loss, reputational damage and severe bottom-line impact. Our assessment identifies the most important next steps in your firm’s cyber security program to maximize protection. Email us at info@analecta-llc.com. We are here to help!

Further Resources