Back Arrow Back to All Integrations

Microsoft Windows Server

Microsoft Windows Server

Microsoft Windows Server

Blumira integrates with Microsoft Windows operating systems to provide automated threat detection and actionable response. Blumira supports the following Microsoft Windows server operating systems:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012R2
  • Windows Server 2012
  • Windows Server 2008R2
  • Windows Server 2008
  • Windows Server 2003R2
  • Windows Server 2003

Blumira provides broad coverage for windows server including collecting logs and recommends using NXLog, Command Line Logging, DNS Debugging and Winlogbeat.

NXLog is a multi-platform log management tool that helps to easily identify security risks, policy breaches or analyze operational problems in server logs, operation system logs and application logs. In concept, NXLog is similar to syslog-ng or Rsyslog, but it is not limited to UNIX and syslog only.

NXLog for Windows Setup

Setting up a Standard Host

  • Download and install the newest stable NXLog Community Edition.
  • Replace C:\Program Files (x86)\nxlog\conf\nxlog.conf with the Blumira nxlog configuration file found here: https://github.com/Blumira/Flowmira/blob/master/nxlog.conf
  • Open the configuration file for editing as an administrator replace A.B.C.D. with the actual IP address of the Blumira Sensor at line 21. The edited line should look like this: 
    define SENSOR 10.11.12.13
  • Save the file.
  • Open Windows Services and restart the NXLog service.  You can also run net start nxlog to start the service in an administrator command prompt.
  • Log into Blumira platforn and verify that you are receiving NXLog events by navigating to the Infrastructure> Sensors > Logging Devices page or look at your Security dashboard.

Enabling Additional Logging

  • See this help center article for recommended Windows logging GPO settings
  • If there are additional logging files above and beyond what is covered here you will need to specify them as channels in the nxlog.conf

If you are using Windows 2003

  • You should use this configuration instead of the aforementioned configuration: https://storage.googleapis.com/blumira-shipping-configurations/nxlog/nxlog_2003.conf
  • It can be placed in the same location, assuming you are using x86 version of Windows 2003, C:\Program Files\nxlog\conf\nxlog.conf.
  • This configuration strips out a number of features that the 2008+ version has.  We strongly recommend using the latest version of Sysmon that supports Windows 2003 to fill in the holes that are lost due to the Windows 2003 event log not being very verbose.
  • You do not need to set up any additional logging on the host, no additional steps are required beyond the hardening guide.
  • Please reach out to [email protected] for our Windows 2003 hardening and visibility guide.

Detection for Windows Firewall

For instructions on how to configure detection for IIS, please see the following documentation:
https://www.blumira.com/integration/microsoft-windows-firewall/

Detection for IIS

For instructions on how to configure detection for IIS, please see the following documentation: https://www.blumira.com/integration/microsoft-windows-iis/

Detection for PowerShell

For instructions on how to configure detection for PowerShell, please see the following documentation:
https://www.blumira.com/integration/windows-server-powershell/

Detection for DNS

For instructions on how to configure detection for DNS, please see the following documentation: https://www.blumira.com/integration/microsoft-windows-dns/

Enabling using GPO

You will need to ensure that logging is enabled for the Windows FW via GPO for Dropped packets only. Adding successful packets will most likely be unnecessarily verbose unless you require visibility due to lack of segmentation.

  • Open the appropriate group policy object
  • Navigate to Computer Configuration>Windows Settings>Security Settings>Windows Defender Firewall with Advanced Security>Windows Defender Firewall Properties* Example of the local Group Policy editor, refer to this link for Domain-specific guidance to deploy GPOs for Windows Firewall. For each network location type (Domain, Private, Public), perform the following steps.
  • Click the tab that corresponds to the network location type.
  • Under Logging, click Customize.
    • No need to change the location, the configuration assumes that you will have it in the default place.
    • Ensure that you only selected Log dropped packets as Yes, unless you require significant visibility Log successful connections should be No.
    • Click OK

    • If you did not change the default path for the Logging file, you only need to uncomment the Windows Firewall Logs section.
    • Uncomment the section, this means that you will remove all # from the beginning of the lines.
    • Starting at #<Extension csv_windows_fw> until #</Route> above the Windows Firewall Logs END block.
    • Restart nxlog from the services console or with the following command
net stop nxlog && net start nxlog
    • Data from the firewall will start flowing