Extending/editing the security rule table

LANguard categorization rules

There are six categorization rule tables which are listed under the Event categorization rules node, i.e.

  • NT4 Workstations
  • NT4 Servers
  • NT4 Domain Controllers
  • Win2K Professional
  • Win2K Server
  • Win2K Domain Controller

It is already important to mark each computer as being a high, medium or low security computer, however different type of computers in a network play different roles, and generally, the operating system which they are running often reflects both its importance as well as the way in which events are to be interpreted.

Hence GFI LANguard S.E.L.M. applies different categorization rules to events happening on a domain controller and the same events happening on a workstation.

If a computer which is being monitored is running the a Windows NT 4.0 Server, then the categorization table named "NT4 Server" will be used to classify the events being read from this computer. If the computer is not only a server but also a backup/primary domain controller then the "NT4 Domain Controller" categorization table will be used.

The inbuilt GFI LANguard S.E.L.M. rule tables can be used as is. However, in some cases you might want to add additional events to monitor, or you might like to change the category of certain events, i.e. decrease or increase the importance attached to a certain security event.

This can be done from the Event Categorization Rules node in the GFI LANguard S.E.L.M. configuration.

Adding New events to monitor

To add new events to monitor:

  1. In the GFI LANguard S.E.L.M. configuration, right click on the categorization node, select the OS rule base you wish to add the event to and select new. The new event rule dialog will appear.

Adding a new event rule

2. In this dialog you can specify the event ID number to monitor. Next you must specify the operational time, for example 'During Normal Operational Time' and the security pc level, and the resulting classification. In the Advanced tab, you can specify a custom description for the rule. Click OK to add the rule.

3. Now repeat this process to cover all situations that you wish to monitor. For example, if you want to create alerts for this event during operational hours as well as outside of operational time, you must add the same event ID, but now select the 'outside operational time' setting instead.

In addition, you must keep in mind that you will need to add the new event rule to apply to an NT workstation and an NT server you must add it to both rule categories.

4. If you wish to monitor the event on machines with for example medium or low security level as well, then you must repeat the above process for this event also, but specifying medium and/or low security level as well. For example, if you want to monitor an event on any machine in your network, at any time, you have to 6 new rules: for each security level, 2 for both 'time zones'.

Adding a description to an event

The new / modified rules settings will be applied instantly without the need to stop and restart any GFI LANguard S.E.L.M. service.

Home Contents Previous Next