1

Chapter Overview

Monitoring Server Performance Monitoring Shared Resources Microsoft Windows 2000 Auditing

2

Monitoring Server Performance

Periodically check the performance of your server so you can spot problems before they become critical.

Microsoft Windows 2000 includes several tools to help you monitor your server’s performance: Event Viewer Task Manager The Performance console

3

Using Event Viewer Windows 2000 automatically tracks

various system events and stores information about them in logs.

Event Viewer is a Microsoft Management Console (MMC) snap-in.

You can view three default logs in Event Viewer: System log Security log Application log

4

Using Event Viewer (Cont.)

When optional services are installed on a computer running Windows 2000, additional logs may be generated.

For example, when a Windows 2000 Server is promoted to a domain controller, these additional logs are added: Directory service log File replication service log DNS server log

5

Viewing Event Logs

To access Event Viewer, click Start, point to Programs, point to Administrative Tools, and then click Event Viewer.

You can also access Event Viewer in Computer Management or add it to a customized MMC console.

6

The Windows 2000 Event Viewer Console

7

Windows 2000 Event Types

Event Type Description

Error A significant problem, such as loss of data or loss of functionality

Warning An event that might not be significant, but might indicate a future problem

Information An event that describes the successful operation of an application, driver, or service

Success audit An audited security access attempt that succeeds

Failure audit An audited security access attempt that fails

8

Logged Event Information

Every logged event is summarized in the details pane with the date and time that the event occurred.

To view more information about an event, double-click the event.

9

An Event Properties Dialog Box

10

Locating Events

By default, Event Viewer displays all events that are recorded in the selected log.

You can filter the events displayed in an Event Viewer log by using the Filter command to configure a filter.

You can also search a log for particular events by using the Find command and configuring search parameters.

11

The Event Viewer Filter Tab

12

The Event Viewer Find Dialog Box

13

Remote Access

You can use Event Viewer to view logs on other computers, too.

To view a log on another computer:1. In the scope pane, right-click the

Event Viewer (Local) icon, and click Connect To Another Computer.

2. In the Select Computer dialog box, specify the name of the remote computer.

14

Using Windows Task Manager

Windows Task Manager provides summary information about computer performance, as well as programs and processes.

In Task Manager, you can View the status of programs End programs that have stopped responding View a dynamic display of key performance

indicators

15

Using Windows Task Manager (Cont.)

Two common ways to start Windows Task Manager: Right-click an empty space on the Windows

2000 taskbar, and then click Task Manager. Press Ctrl+Alt+Delete, and then click Task

Manager.

16

The Applications Tab in Task Manager

Shows the status of programs running on your computer

Tasks you can perform in this tab: Start a new program by clicking New Task. End a program by selecting a task in the list

and clicking End Task. Switch to another program by selecting a

task in the list and clicking Switch To.

17

The Applications Tab in Task Manager (Cont.)

18

The Processes Tab in Task Manager

Displays information about processes running on the computer, such as current CPU and memory usage

Some of the tasks you can perform in this tab: View counters for processes. End a process. Change the priority of a program.

19

The Processes Tab in Task Manager (Cont.)

20

The Performance Tab in Task Manager

Shows a dynamic overview of the computer’s performance, including CPU and memory usage Total for the number of handles, threads,

and processes running on the computer Totals, in KB, for physical, kernel, and

commit memory

21

The Performance Tab in Task Manager (Cont.)

22

Using the Performance Console

The Windows 2000 Performance console is a preconfigured MMC console that includes two preinstalled snap-ins: System Monitor: collects and displays real-

time data about memory, disk, processor, and network activity

Performance Logs And Alerts: lets you collect performance data from local or remote computers, configure logs to record data, and set system alerts

23

The Windows 2000 Performance Console

24

Using the System Monitor Snap-In

Use System Monitor to Measure the performance of your own

computer or other computers on a network Collect and view data about hardware

resource use and the activity of system services on the computers you administer

25

Using the System Monitor Snap-In (Cont.)

You can define the data you want to collect and graph. Type of data: one or more objects, counters,

and instances Source of data: your local computer or other

computers on the network Sampling parameters: manual, on-demand

sampling or automatic sampling based on the time interval you specify

26

The System Monitor Snap-In

27

The Add Counters Dialog Box in System Monitor

28

Information in the Performance Console Legend

Terms used in the legend are Object Counter Instance

You can sort the entries in the legend.

29

Monitoring System and Network Performance

Network activity can influence the performance not only of individual components, but also of the entire system.

In addition to monitoring network activity, you should also monitor other resources, including disk, memory, and processor activity.

30

Monitoring System and Network Performance (Cont.)

By monitoring performance over time, you can establish a performance baseline for your network.

When performance data is incompatible with your baseline values, investigate the cause and take appropriate action.

31

Removing Unneeded Services

If data indicates that unneeded services are using large amounts of memory or processor time, you can use the Services MMC snap-in to change the Startup Type value of the service to Disabled or Manual.

In some cases, you can remove the service completely by using Add/Remove Programs in Control Panel.

32

Using the Performance Logs And Alerts Snap-In Use this tool to collect performance data

automatically from local or remote computers.

You can View the logged data by using System Monitor or

import the data to spreadsheet programs or databases for analysis and report generation

View counter data during and after collection Configure automatic logging Set an alert on a counter and stipulate the action

to be taken when the counter's value exceeds or falls below a defined setting

33

Using the Performance Logs And Alerts Snap-In (Cont.)

You can configure additional options: Starting and stopping logging Creating trace logs Defining a program that runs when a log is

stopped Configuring additional settings for

automatic logging You can define settings for counter logs,

trace logs, and alerts.

34

A Log in the Performance Logs And Alerts Snap-In

35

Information in the Details Pane of the Performance Logs And Alerts Snap-In

The columns in the details pane provide the following information: Name: the name of the log or alert Comment: descriptive information about the

log or alert Log File Type: the log-file format you define Log File Name: the path and base filename

you defined

36

Configuring More Than One Type of Log

You can configure more than one type of log to run at a time.

One log can generate many log files if started and stopped multiple times. The individual log files do not appear in the

console window. Use Windows Explorer to view a listing of

these files.

37

Lesson Summary Use Event Viewer to view and search through

log files. Use Task Manager to get summary information

about computer performance and programs and processes.

Use System Monitor to measure the performance of your own computer or other computers on the network.

Use Performance Logs And Alerts to collect performance data automatically from local or remote computers.

38

Monitoring Shared Resources

You can use the Shared Folders snap-in to monitor access to network resources.

With the Shared Folders snap-in, you can Monitor shared folders, user sessions, and

open files Disconnect users Send administrative messages to users

39

Why Monitor Network Resources? Maintenance

Sometimes, to perform maintenance tasks, you need to take resources offline.

Before you do this, you need to know which users are using resources and notify them.

Security You might want to monitor access to sensitive

resources to verify that only authorized users are accessing them.

Planning You need to determine current resource usage in

order to plan for future system growth.

40

The Shared Folders Snap-In

The Shared Folders snap-in is included in the Computer Management console.

To access Shared Folders, click Start, point to Programs, point to Administrative Tools, and then click Computer Management.

You can add the Shared Folders snap-in to a custom MMC console.

41

The Shared Folders Snap-In (Cont.)

42

Monitoring Shared Folders

Use the Shares folder in the Shared Folders snap-in to View a list of shared folders on a computer

running Windows 2000 Determine how many users are connected

to each shared folder Share a folder

43

The Shares Folder in the Shared Folders Snap-In

44

Information in the Details Pane of the Shared Folders Snap-In

The columns in the details pane display the following information about each share on the computer: Shared Folder Shared Path Type # Client Redirections Comment

45

Determining How Many Users Can Access a Shared Folder Concurrently You can use the Shared Folders snap-in

to view and modify the maximum number of users that can access a folder.

In the Shared Folders details pane, right-click the shared folder, and then click Properties.

You can modify the user limit in the General tab in the Properties dialog box.

You can manage the permissions for the share in the General tab.

46

Sharing a Folder

You can use the Shared Folders snap-in to share an existing folder or to create a new folder and share it.

You can also use this tool to modify shared folder and NT file system (NTFS) permissions when you share a folder.

Using the Shared Folders snap-in is the only way to create a new shared folder on a remote computer running Windows 2000.

47

Monitoring User Sessions

Use the Sessions folder in the Shared Folders snap-in to Monitor which users are currently accessing

shared folders on a server from a remote computer

Disconnect users Send administrative messages to computers

and users

48

The Sessions Folder in the Shared Folders Snap-In

49

Information in the Details Pane of the Sessions Folder

The columns in the details pane provide the following information about each computer connection: User Computer Type Open Files Connected Time and Idle Time Guest

50

Disconnecting Users

You can disconnect one or all users with a network connection to the computer.

You may need to disconnect users to Have changes to shared folder and NTFS

permissions take effect immediately Free idle connections on a busy computer

so that other users can connect Shut down a server

51

Disconnecting a Specific User

To disconnect a specific user, in the Shared Folders snap-in, click the Sessions folder, right-click the user you want to disconnect, and then click Close Session.

Use caution when disconnecting a user; it can result in data loss.

52

Sending Administrative Messages to Users Use the Shared Folders snap-in to send

administrative messages to one or more users on the network.

Send an administrative message to notify users when you intend to do anything that could cause data loss, such as Backing up or restoring data Disconnecting users Upgrading software or hardware Shutting down the computer

53

Sending Administrative Messages to Users (Cont.)

To send an administrative message, right-click the Shared Folders icon in the scope pane, point to All Tasks, and then click Send Console Message.

By default, all currently connected computers appear in the list of recipients.

54

Monitoring Open Files Use the Open Files folder in the Shared

Folders snap-in to View a list of files in the computer’s shared

folders that are currently open Determine which users are connected to

each open file You can use this information

When you need to contact users to notify them that you are shutting down the system

To determine which user is using a file that is locked open

55

The Open Files Folder in the Shared Folders Snap-In

56

Information in the Details Pane of the Open Files Folder

The columns in the details pane of the Open Files folder provide the following information about each file currently in use: Open File Accessed By Type # Locks Open Mode

57

Using the Open Files Folder to Disconnect Users

Use the Open Files folder to disconnect users from open files. To disconnect all users from all open files,

right-click the Open Files folder, and then select Disconnect All Open Files.

To disconnect all users from one open file, right-click the file, and then click Close Open File.

Use caution when disconnecting users; data loss can occur.

58

Lesson Summary The Shared Folders snap-in enables you to

monitor the shared folders on a computer running Windows 2000.

Use the Shares folder to monitor the number of connections to each share and to create new shares on a remote computer.

Use the Sessions folder to monitor connections to the computer, disconnect users, and send administrative messages.

Use the Open Files folder to view a list of open files and to disconnect users from a specific file or from all shared files.

59

Microsoft Windows 2000 Auditing

Windows 2000 auditing is a security tool that enables you to track user activities and system-wide events.

60

Overview of Windows 2000 Auditing

Auditing is the process of tracking user and system events.

You can specify that Windows 2000 write a record of an event, called an audit entry, to the security log.

An audit entry contains the action performed, the user who performed the action, the success or failure of the event, and when the event occurred.

61

Using an Audit Policy An audit policy defines the types of security

events that Windows 2000 records in the security log.

Windows 2000 writes events to the security log on the computer where the event occurs.

You can set up an audit policy to Track the success and failure of events Eliminate or minimize the risk of unauthorized

use of resources Use Event Viewer to view events recorded in

the security log.

62

Planning an Audit Policy

Determine the computers to set up auditing on and what to audit on each computer.

Auditing is turned off by default. Windows 2000 records audited events

on each computer separately.

63

Planning an Audit Policy (Cont.)

Types of events you can audit include Access to files and folders Users logging on and off Shutting down and restarting a computer

running Windows 2000 Changes to user accounts and groups Attempts to make changes to Active

Directory objects

64

Planning an Audit Policy (Cont.)

Determine whether to audit the success and/or failure of events. Success: can tell you how often users gain

access to resources, which is helpful for resource planning

Failure: can alert you to possible attempted security breaches

65

Planning an Audit Policy (Cont.)

General guidelines for determining an audit policy Determine if you need to track trends of

system usage. Review security logs frequently. Define an audit policy that is useful and

manageable. Audit resource access by the Everyone

group instead of the Users group.

66

Configuring Auditing

Type of Computer How Audit Policy Is Set

Stand-alone servers or stand-alone computers running Microsoft Windows 2000 Professional

Set for each individual computer

Member servers or computers running Windows 2000 Professional that have joined an Active Directory domain

Can be set for each individual computer or for a group of computers, such as an OU

Domain controllers Set for all domain controllers in the domain

67

Auditing Requirements

You must have the Manage Auditing and Security Log user right for the computer where you want to configure audit policy or review the audit log. By default, members of the Administrators

group have this right. Only files and folders on NTFS volumes

can be audited.

68

Setting Up Auditing

Configuring auditing is a two-part process:1. Set the audit policy. This enables auditing of

objects but does not activate the auditing of specific objects.

2. Configure auditing of specific resources. You identify the specific events to audit for files, folders, printers, and Active Directory objects.

Auditing takes place only after both of these steps have been completed.

69

Setting an Audit Policy

Select the types of events to be audited. Specify whether to track successful

attempts, failed attempts, or both. Use the Group Policy snap-in to set

audit policies.

70

Setting an Audit Policy (Cont.) Types of events that Windows 2000 can

audit Account logon events Account management Directory service access Logon events Object access  Policy change Privilege use Process tracking System

71

Setting an Audit Policy (Cont.)

Changes made to audit policy on a computer take effect when one of the following events occurs: You initiate policy propagation. You restart the computer. Policy propagation occurs.

72

Auditing Access to Files and Folders

The first step is enabling the Audit Object Access policy. To do this on a computer that is not a

domain controller, create a custom MMC console and add the Group Policy snap-in.

In the console tree, select Audit Policy from the Computer Configuration node, and then double-click the Audit Object Access policy to configure success and/or failure.

73

Auditing Access to Files and Folders (Cont.)

74

Auditing Access to Files and Folders (Cont.)

The second step in auditing access to files and folders is to access the Properties dialog box for each individual file or folder you want to audit, click the Security tab, and then click Advanced.

Then click the Auditing tab and configure auditing for the selected file or folder.

75

Auditing Access to Active Directory Objects

First, enable the Audit Directory Service Access policy in the Group Policy snap-in.

Second, use the Active Directory Users And Computers snap-in to configure auditing in the Properties dialog box for each Active Directory object you want to audit.

76

Lesson Summary Auditing is the process of tracking user and

system events. An audit policy defines the types of security

events that Windows 2000 records in the security log on each computer.

Windows 2000 records audited events on each computer separately.

To configure auditing of files, folders, or printers, first enable the Audit Object Access policy; then configure auditing of specific files, folders, and printers.