Suspicious software on your Windows Server may be the result of an unauthorized installation by your own employee or originate from a hackers’ attack. Any suspicious software can potentially cause leakage of sensitive data, not to mention server performance slowdown or infringement of compliance policies.
That is why it is vital to be aware of any occurrences of software installation and see what was installed, who did it and when – shortly after it happened.
Native Auditing
1. Run eventvwr.msc > Windows Logs > Right-click “Application” log > Properties:
- Make sure the “Enable logging” check box is selected
- Increase the log size for at least 1 GB
- Set retention method to “Overwrite events as needed” or “Archive the log when full”
2. Open Event Viewer and search the application log for the 11707 event ID with MsiInstaller Event Source to find the last installed software.
3. To create an instant alert that is triggered upon any software installation, you need to edit the following PowerShell script by setting up your parameters and saving it everywhere as a .ps1 file (e.g., detect_software).
$Subject = “New Software Has Been Installed” # Message Subject $Server = “smtp.server” # SMTP Server $From = “From@domain.com” # From whom we are sending an e-mail(add anonymous logon permission if needed) $To = “To@domain.com” # To whom we are sending $Pwd = ConvertTo-SecureString “enterpassword” -AsPlainText –Force #Sender account password #(Warning! Use a very restricted account for the sender, because the password stored in the script will be not encrypted) $Cred = New-Object System.Management.Automation.PSCredential(“From@domain.com” , $Pwd) #Sender account credentials $encoding = [System.Text.Encoding]::UTF8 #Setting encoding to UTF8 for message correct display #Powershell command for filtering the security log about created user account event $Body=Get-WinEvent -FilterHashtable @{LogName=”Application”;ID=11707;ProviderName='MsiInstaller'} | Select TimeCreated, Message, UserID | select-object -first 1 #Sending an e-mail. Send-MailMessage -From $From -To $To -SmtpServer $Server -Body “$Body” -Subject $Subject -Credential $Cred -Encoding $encoding
4. Run Task Scheduler > Create new schedule task > Enter its name > Triggers tab > New trigger > Set up the following options:
- Begin the task on an event
- Log – Application
- Source – Blank
- EventID – 11707
5. Go to the “Actions” Tab > New action with following parameters:
- Action – Start a program
- Program script: PowerShell
- Add arguments (optional): -File “specify file path to our script”
6. Click “OK”
7. Now you will be notified about every software installation on your Windows Server via an e-mail message containing details of software installation time, software name and installer’s userID (SID).
8. To convert user SID into an Account Name, open the following script in PowerShell ISE, enter SID and click “Run”:
$objSID = New-Object System.Security.Principal.SecurityIdentifier("Enter your SID Here") $objUser = $objSID.Translate([System.Security.Principal.NTAccount]) $objUser.Value
Netwrix Auditor for Windows Server
1. Run Netwrix Auditor > Managed Objects > Windows Server > Click “Run” to gather logs (log gathering is performed automatically on a specific schedule; here you may need to click the “Run” button manually in order to avoid waiting for the next scheduled data collection) > Open an e-mail received after log gathering.
2. To create an instant alert that is triggered upon any software installation, go to “Managed Objects” > Windows Server > Event Log > Right click “Real-time alerts” > New Real-time alert > Set the name of alert and click “Next” > Click “Add Event Filter” > Set the name of the filter > Set Application Event Log > Go to “Event Filters” tab > Set Event ID = 11707 > Click “OK” and “Finish”.
3. Now you are able to receive an e-mail upon each occurrence of software installation on your server.
Don’t miss out on real-life use cases of detecting unauthorized software installation on Windows Server!