How to generate actions from events in Microsoft Vista

• You'd need a cell phone that could receive text messages via email. For example, my cell carrier is Verizon Wireless, and you can send an SMS text message to any Verizon cell phone by sending e-mail to cellphonenumber@vtext.com.
• You need a program that can send simple emails from the command line. There's a free one called "blat" at http://www.blat.org.
• You need XP or 2003, as they support event triggers.

I put this all together by suggesting that if there were particular events that you were concerned about—say, an account lockout happened—then you could use eventtriggers.exe to tell the Event Log service, "If an account lockout happens, run such-and-such blat command line to send me an alert on my phone as a text message." It worked pretty nicely but was, admittedly, cumbersome. So the new "Attach task to event…" option is a real blessing.

Warning! Be sure to configure the SMTP server to accept e-mails from this server, or you'll never get an alert via e-mail. All well-configured SMTP servers nowadays have strict rules restricting SMTP relaying and would probably reject the e-mail that the Event Log service tried to send to the SMTP server. Andsetting up random extra SMTP servers without all of those strict rules is areally bad idea, as it's one way that spammers send all of that junk but don'tget caught.

To see this in action, open up the Application log and look at the events in it. If this is your first look into Vista's Event Viewer, look in the folder "Windows Logs"—it's probably already open, if not then open it—and notice that these logs bear the familiar names of Application, Security and System, as well as two new ones named "Setup" and "ForwardedEvents." Click the Application folder in the left-hand pane and in the right-hand pane (I always close the Action pane because I think you'd need a computer with a screen that isn't just in "landscape" mode, you'd need one in "panoramic mode" in order to make use of MMC 3.0's three panes) you'll see the events in that log.

Right-click any one of them and you'll see in the resulting context menu that you've got a new option, "Attach Task To This Event…;" click that, and you'll see a wizard page like the one in Figure 1.14.

Why a wizard? Well, as it turns out, Vista's Event Viewer offers you several options on how to respond. (They even simplified setting up my suggestion about e-mailing admins when an event occurs, as you'll see.) Click Next to see a figure like Figure 1.15.

First, as with eventtriggers.exe, you can specify any given application. Or you can send an email, or display a message on the server's desktop. I'll consider all three options in a moment, but for now, I'll click the radio button next to "Send an email" and then Next to see something like Figure 1.16.

Figure 1.14: Starting the Create Basic Task Wizard

Figure 1.15: Event viewer offers three kinds of responses

Figure 1.16: Setting up an email notification

This page looks very much as you'd expect, allowing you to punch in a from address, to address, subject and text. It even lets you add an attachment, which is a nice touch, and specify the name of the SMTP server to use to send the e-mail.

If I click Next, I get a summary screen like the one in Figure 1.17.

This is a nice summary of what's going to happen once I click Finish, although truthfully it's not necessary. An administrator can always modify or delete an event task, as you'd expect. Ah, but where you modify or delete that event task, that'll surprise you. When I click Finish, I get the message box in Figure 1.18.

Figure 1.17: Sumarizing the trigger

Figure 1.18: Changes? Off to the task scheduler

This seems like a bad idea to me. Vista's user interface does a fairly decent job of providing what Microsoft has come to like calling "discoverability," which is their recently coined term for "a user interface that makes figuring out what you can do with a GUI program easier." So here you've created an event task in the Event Viewer; you'd think that you could modify or delete it in the Event Viewer. But no, instead Microsoft's got you going to the Task Scheduler to do that.

Check out other excerpts from this chapter of Mark's book, Administering Windows Vista Security: The Big Surprises.

SearchWindowsSecurity.com also features excerpts from chapter eight, "Locking Up the Ports: Windows Firewall", of Mark Minasi's book, Mastering Windows Server 2003 Upgrade Edition for SP1 and R2.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Protocols and Services Top 10 ways to improve Windows Vista security Windows Resource Protection (WRP) protects critical system resources The finer points of User Account Control (UAC) in Windows Vista Vista SP1 vs. XP SP3 -- upgrade or business as usual? Critical patches for IE and Office released PatchGuard defends against rootkits in Windows Vista Windows Vista security: Top 10 tips of 2007 Windows Vista's security features: One year later Run legacy applications with Windows Vista security Integrity mechanism has process security limitations Protocols and Services Vista SP1 vs. XP SP3 -- upgrade or business as usual? How to solve Windows security log mysteries Blocking peer-to-peer applications Step 1: Blocking peer-to-peer applications Multiple Connections - Management Step-by-step guide: Elevating privileges for an administrator Checklist: Protecting users from themselves WinDump: The tcpdump tool for Windows Client hardening Employee gadgets pose security risk to companies Windows Vista Security: The Big Surprises Vista's event viewer improves security management New encryption options in Windows Vista LM de-emphasized, NTLMv2 emphasized in Vista Vista security option changes to named pipe access NTFS and the Registry in Vista packaged up BOOT.INI is gone, BCD is here Remote Desktop gets a bit more secure

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary