Chapter Overview

1
Chapter Overview

• Monitoring Server Performance
• Monitoring Shared Resources
• Microsoft Windows 2000 Auditing

2
Monitoring Server Performance

• Periodically check the performance of your server
  so you can spot problems before they become
  critical.
• Microsoft Windows 2000 includes several tools to
  help you monitor your servers performance
• Event Viewer
• Task Manager
• The Performance console

3
Using Event Viewer

• Windows 2000 automatically tracks various system
  events and stores information about them in logs.
• Event Viewer is a Microsoft Management Console
  (MMC) snap-in.
• You can view three default logs in Event Viewer
• System log
• Security log
• Application log

4
Using Event Viewer (Cont.)

• When optional services are installed on a
  computer running Windows 2000, additional logs
  may be generated.
• For example, when a Windows 2000 Server is
  promoted to a domain controller, these additional
  logs are added
• Directory service log
• File replication service log
• DNS server log

5
Viewing Event Logs

• To access Event Viewer, click Start, point to
  Programs, point to Administrative Tools, and then
  click Event Viewer.
• You can also access Event Viewer in Computer
  Management or add it to a customized MMC console.

6
The Windows 2000 Event Viewer Console
7
Windows 2000 Event Types
Event Type Description
Error A significant problem, such as loss of data or loss of functionality
Warning An event that might not be significant, but might indicate a future problem
Information An event that describes the successful operation of an application, driver, or service
Success audit An audited security access attempt that succeeds
Failure audit An audited security access attempt that fails
8
Logged Event Information

• Every logged event is summarized in the details
  pane with the date and time that the event
  occurred.
• To view more information about an event,
  double-click the event.

9
An Event Properties Dialog Box
10
Locating Events

• By default, Event Viewer displays all events that
  are recorded in the selected log.
• You can filter the events displayed in an Event
  Viewer log by using the Filter command to
  configure a filter.
• You can also search a log for particular events
  by using the Find command and configuring search
  parameters.

11
The Event Viewer Filter Tab
12
The Event Viewer Find Dialog Box
13
Remote Access

• You can use Event Viewer to view logs on other
  computers, too.
• To view a log on another computer 1. In the
  scope pane, right-click the Event Viewer
  (Local) icon, and click Connect To Another
  Computer.
• 2. In the Select Computer dialog box, specify
  the name of the remote computer.

14
Using Windows Task Manager

• Windows Task Manager provides summary information
  about computer performance, as well as programs
  and processes.
• In Task Manager, you can
• View the status of programs
• End programs that have stopped responding
• View a dynamic display of key performance
  indicators

15
Using Windows Task Manager (Cont.)

• Two common ways to start Windows Task Manager
• Right-click an empty space on the Windows 2000
  taskbar, and then click Task Manager.
• Press CtrlAltDelete, and then click Task
  Manager.

16
The Applications Tab in Task Manager

• Shows the status of programs running on your
  computer
• Tasks you can perform in this tab
• Start a new program by clicking New Task.
• End a program by selecting a task in the list and
  clicking End Task.
• Switch to another program by selecting a task in
  the list and clicking Switch To.

17
The Applications Tab in Task Manager (Cont.)
18
The Processes Tab in Task Manager

• Displays information about processes running on
  the computer, such as current CPU and memory
  usage
• Some of the tasks you can perform in this tab
• View counters for processes.
• End a process.
• Change the priority of a program.

19
The Processes Tab in Task Manager (Cont.)
20
The Performance Tab in Task Manager

• Shows a dynamic overview of the computers
  performance, including
• CPU and memory usage
• Total for the number of handles, threads, and
  processes running on the computer
• Totals, in KB, for physical, kernel, and commit
  memory

21
The Performance Tab in Task Manager (Cont.)
22
Using the Performance Console

• The Windows 2000 Performance console is a
  preconfigured MMC console that includes two
  preinstalled snap-ins
• System Monitor collects and displays real-time
  data about memory, disk, processor, and network
  activity
• Performance Logs And Alerts lets you collect
  performance data from local or remote computers,
  configure logs to record data, and set system
  alerts

23
The Windows 2000 Performance Console
24
Using the System Monitor Snap-In

• Use System Monitor to
• Measure the performance of your own computer or
  other computers on a network
• Collect and view data about hardware resource use
  and the activity of system services on the
  computers you administer

25
Using the System Monitor Snap-In (Cont.)

• You can define the data you want to collect and
  graph.
• Type of data one or more objects, counters, and
  instances
• Source of data your local computer or other
  computers on the network
• Sampling parameters manual, on-demand sampling
  or automatic sampling based on the time interval
  you specify

26
The System Monitor Snap-In
27
The Add Counters Dialog Box in System Monitor
28
Information in the Performance Console Legend

• Terms used in the legend are
• Object
• Counter
• Instance
• You can sort the entries in the legend.

29
Monitoring System and Network Performance

• Network activity can influence the performance
  not only of individual components, but also of
  the entire system.
• In addition to monitoring network activity, you
  should also monitor other resources, including
  disk, memory, and processor activity.

30
Monitoring System and Network Performance (Cont.)

• By monitoring performance over time, you can
  establish a performance baseline for your
  network.
• When performance data is incompatible with your
  baseline values, investigate the cause and take
  appropriate action.

31
Removing Unneeded Services

• If data indicates that unneeded services are
  using large amounts of memory or processor time,
  you can use the Services MMC snap-in to change
  the Startup Type value of the service to Disabled
  or Manual.
• In some cases, you can remove the service
  completely by using Add/Remove Programs in
  Control Panel.

32
Using the Performance Logs And Alerts Snap-In

• Use this tool to collect performance data
  automatically from local or remote computers.
• You can
• View the logged data by using System Monitor or
  import the data to spreadsheet programs or
  databases for analysis and report generation
• View counter data during and after collection
• Configure automatic logging
• Set an alert on a counter and stipulate the
  action to be taken when the counter's value
  exceeds or falls below a defined setting

33
Using the Performance Logs And Alerts Snap-In
(Cont.)

• You can configure additional options
• Starting and stopping logging
• Creating trace logs
• Defining a program that runs when a log is
  stopped
• Configuring additional settings for automatic
  logging
• You can define settings for counter logs, trace
  logs, and alerts.

34
A Log in the Performance Logs And Alerts Snap-In
35
Information in the Details Pane of the
Performance Logs And Alerts Snap-In

• The columns in the details pane provide the
  following information
• Name the name of the log or alert
• Comment descriptive information about the log or
  alert
• Log File Type the log-file format you define
• Log File Name the path and base filename you
  defined

36
Configuring More Than One Type of Log

• You can configure more than one type of log to
  run at a time.
• One log can generate many log files if started
  and stopped multiple times.
• The individual log files do not appear in the
  console window.
• Use Windows Explorer to view a listing of these
  files.

37
Lesson Summary

• Use Event Viewer to view and search through log
  files.
• Use Task Manager to get summary information about
  computer performance and programs and processes.
• Use System Monitor to measure the performance of
  your own computer or other computers on the
  network.
• Use Performance Logs And Alerts to collect
  performance data automatically from local or
  remote computers.

38
Monitoring Shared Resources

• You can use the Shared Folders snap-in to monitor
  access to network resources.
• With the Shared Folders snap-in, you can
• Monitor shared folders, user sessions, and open
  files
• Disconnect users
• Send administrative messages to users

39
Why Monitor Network Resources?

• Maintenance
• Sometimes, to perform maintenance tasks, you need
  to take resources offline.
• Before you do this, you need to know which users
  are using resources and notify them.
• Security
• You might want to monitor access to sensitive
  resources to verify that only authorized users
  are accessing them.
• Planning
• You need to determine current resource usage in
  order to plan for future system growth.

40
The Shared Folders Snap-In

• The Shared Folders snap-in is included in the
  Computer Management console.
• To access Shared Folders, click Start, point to
  Programs, point to Administrative Tools, and then
  click Computer Management.
• You can add the Shared Folders snap-in to a
  custom MMC console.

41
The Shared Folders Snap-In (Cont.)
42
Monitoring Shared Folders

• Use the Shares folder in the Shared Folders
  snap-in to
• View a list of shared folders on a computer
  running Windows 2000
• Determine how many users are connected to each
  shared folder
• Share a folder

43
The Shares Folder in the Shared Folders Snap-In
44
Information in the Details Pane of the Shared
Folders Snap-In

• The columns in the details pane display the
  following information about each share on the
  computer
• Shared Folder
• Shared Path
• Type
• Client Redirections
• Comment

45
Determining How Many Users Can Access a Shared
Folder Concurrently

• You can use the Shared Folders snap-in to view
  and modify the maximum number of users that can
  access a folder.
• In the Shared Folders details pane, right-click
  the shared folder, and then click Properties.
• You can modify the user limit in the General tab
  in the Properties dialog box.
• You can manage the permissions for the share in
  the General tab.

46
Sharing a Folder

• You can use the Shared Folders snap-in to share
  an existing folder or to create a new folder and
  share it.
• You can also use this tool to modify shared
  folder and NT file system (NTFS) permissions when
  you share a folder.
• Using the Shared Folders snap-in is the only way
  to create a new shared folder on a remote
  computer running Windows 2000.

47
Monitoring User Sessions

• Use the Sessions folder in the Shared Folders
  snap-in to
• Monitor which users are currently accessing
  shared folders on a server from a remote computer
• Disconnect users
• Send administrative messages to computers and
  users

48
The Sessions Folder in the Shared Folders Snap-In
49
Information in the Details Pane of the Sessions
Folder

• The columns in the details pane provide the
  following information about each computer
  connection
• User
• Computer
• Type
• Open Files
• Connected Time and Idle Time
• Guest

50
Disconnecting Users

• You can disconnect one or all users with a
  network connection to the computer.
• You may need to disconnect users to
• Have changes to shared folder and NTFS
  permissions take effect immediately
• Free idle connections on a busy computer so that
  other users can connect
• Shut down a server

51
Disconnecting a Specific User

• To disconnect a specific user, in the Shared
  Folders snap-in, click the Sessions folder,
  right-click the user you want to disconnect, and
  then click Close Session.
• Use caution when disconnecting a user it can
  result in data loss.

52
Sending Administrative Messages to Users

• Use the Shared Folders snap-in to send
  administrative messages to one or more users on
  the network.
• Send an administrative message to notify users
  when you intend to do anything that could cause
  data loss, such as
• Backing up or restoring data
• Disconnecting users
• Upgrading software or hardware
• Shutting down the computer

53
Sending Administrative Messages to Users (Cont.)

• To send an administrative message, right-click
  the Shared Folders icon in the scope pane, point
  to All Tasks, and then click Send Console
  Message.
• By default, all currently connected computers
  appear in the list of recipients.

54
Monitoring Open Files

• Use the Open Files folder in the Shared Folders
  snap-in to
• View a list of files in the computers shared
  folders that are currently open
• Determine which users are connected to each open
  file
• You can use this information
• When you need to contact users to notify them
  that you are shutting down the system
• To determine which user is using a file that is
  locked open

55
The Open Files Folder in the Shared Folders
Snap-In
56
Information in the Details Pane of the Open Files
Folder

• The columns in the details pane of the Open Files
  folder provide the following information about
  each file currently in use
• Open File
• Accessed By
• Type
• Locks
• Open Mode

57
Using the Open Files Folder to Disconnect Users

• Use the Open Files folder to disconnect users
  from open files.
• To disconnect all users from all open files,
  right-click the Open Files folder, and then
  select Disconnect All Open Files.
• To disconnect all users from one open file,
  right-click the file, and then click Close Open
  File.
• Use caution when disconnecting users data loss
  can occur.

58
Lesson Summary

• The Shared Folders snap-in enables you to monitor
  the shared folders on a computer running Windows
  2000.
• Use the Shares folder to monitor the number of
  connections to each share and to create new
  shares on a remote computer.
• Use the Sessions folder to monitor connections to
  the computer, disconnect users, and send
  administrative messages.
• Use the Open Files folder to view a list of open
  files and to disconnect users from a specific
  file or from all shared files.

59
Microsoft Windows 2000 Auditing

• Windows 2000 auditing is a security tool that
  enables you to track user activities and
  system-wide events.

60
Overview of Windows 2000 Auditing

• Auditing is the process of tracking user and
  system events.
• You can specify that Windows 2000 write a record
  of an event, called an audit entry, to the
  security log.
• An audit entry contains the action performed, the
  user who performed the action, the success or
  failure of the event, and when the event
  occurred.

61
Using an Audit Policy

• An audit policy defines the types of security
  events that Windows 2000 records in the security
  log.
• Windows 2000 writes events to the security log on
  the computer where the event occurs.
• You can set up an audit policy to
• Track the success and failure of events
• Eliminate or minimize the risk of unauthorized
  use of resources
• Use Event Viewer to view events recorded in the
  security log.

62
Planning an Audit Policy

• Determine the computers to set up auditing on and
  what to audit on each computer.
• Auditing is turned off by default.
• Windows 2000 records audited events on each
  computer separately.

63
Planning an Audit Policy (Cont.)

• Types of events you can audit include
• Access to files and folders
• Users logging on and off
• Shutting down and restarting a computer running
  Windows 2000
• Changes to user accounts and groups
• Attempts to make changes to Active Directory
  objects

64
Planning an Audit Policy (Cont.)

• Determine whether to audit the success and/or
  failure of events.
• Success can tell you how often users gain access
  to resources, which is helpful for resource
  planning
• Failure can alert you to possible attempted
  security breaches

65
Planning an Audit Policy (Cont.)

• General guidelines for determining an audit
  policy
• Determine if you need to track trends of system
  usage.
• Review security logs frequently.
• Define an audit policy that is useful and
  manageable.
• Audit resource access by the Everyone group
  instead of the Users group.

66
Configuring Auditing
Type of Computer How Audit Policy Is Set
Stand-alone servers or stand-alone computers running Microsoft Windows 2000 Professional Set for each individual computer
Member servers or computers running Windows 2000 Professional that have joined an Active Directory domain Can be set for each individual computer or for a group of computers, such as an OU
Domain controllers Set for all domain controllers in the domain
67
Auditing Requirements

• You must have the Manage Auditing and Security
  Log user right for the computer where you want to
  configure audit policy or review the audit log.
• By default, members of the Administrators group
  have this right.
• Only files and folders on NTFS volumes can be
  audited.

68
Setting Up Auditing

• Configuring auditing is a two-part process
• 1. Set the audit policy. This enables auditing
  of objects but does not activate the auditing
  of specific objects.
• 2. Configure auditing of specific resources.
  You identify the specific events to audit for
  files, folders, printers, and Active Directory
  objects.
• Auditing takes place only after both of these
  steps have been completed.

69
Setting an Audit Policy

• Select the types of events to be audited.
• Specify whether to track successful attempts,
  failed attempts, or both.
• Use the Group Policy snap-in to set audit
  policies.

70
Setting an Audit Policy (Cont.)

• Types of events that Windows 2000 can audit
• Account logon events
• Account management
• Directory service access
• Logon events
• Object access 
• Policy change
• Privilege use
• Process tracking
• System

71
Setting an Audit Policy (Cont.)

• Changes made to audit policy on a computer take
  effect when one of the following events occurs
• You initiate policy propagation.
• You restart the computer.
• Policy propagation occurs.

72
Auditing Access to Files and Folders

• The first step is enabling the Audit Object
  Access policy.
• To do this on a computer that is not a domain
  controller, create a custom MMC console and add
  the Group Policy snap-in.
• In the console tree, select Audit Policy from the
  Computer Configuration node, and then
  double-click the Audit Object Access policy to
  configure success and/or failure.

73
Auditing Access to Files and Folders (Cont.)
74
Auditing Access to Files and Folders (Cont.)

• The second step in auditing access to files and
  folders is to access the Properties dialog box
  for each individual file or folder you want to
  audit, click the Security tab, and then click
  Advanced.
• Then click the Auditing tab and configure
  auditing for the selected file or folder.

75
Auditing Access to Active Directory Objects

• First, enable the Audit Directory Service Access
  policy in the Group Policy snap-in.
• Second, use the Active Directory Users And
  Computers snap-in to configure auditing in the
  Properties dialog box for each Active Directory
  object you want to audit.

76
Lesson Summary

• Auditing is the process of tracking user and
  system events.
• An audit policy defines the types of security
  events that Windows 2000 records in the security
  log on each computer.
• Windows 2000 records audited events on each
  computer separately.
• To configure auditing of files, folders, or
  printers, first enable the Audit Object Access
  policy then configure auditing of specific
  files, folders, and printers.