Microsoft Windows XP and 2003 brought a really nice feature called "event triggers." The idea was that you could...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
use a command-line tool called "eventtriggers.exe" to instruct the Event Log service that if a particular kind of event occurred then the Event Log service would start the application of your choosing. Not many people seemed to discover it, but I wrote about it in a few magazine articles and suggested that you could build a pretty neat system for alerting you to problems in the network. There were three ingredients:
- You'd need a cell phone that could receive text messages via email. For example, my cell carrier is Verizon Wireless, and you can send an SMS text message to any Verizon cell phone by sending e-mail to firstname.lastname@example.org.
- You need a program that can send simple emails from the command line. There's a free one called "blat" at http://www.blat.org.
- You need XP or 2003, as they support event triggers.
I put this all together by suggesting that if there were particular events that you were concerned about—say, an account lockout happened—then you could use eventtriggers.exe to tell the Event Log service, "If an account lockout happens, run such-and-such blat command line to send me an alert on my phone as a text message." It worked pretty nicely but was, admittedly, cumbersome. So the new "Attach task to event…" option is a real blessing.
Right-click any one of them and you'll see in the resulting context menu that you've got a new option, "Attach Task To This Event…;" click that, and you'll see a wizard page like the one in Figure 1.14.
Why a wizard? Well, as it turns out, Vista's Event Viewer offers you several options on how to respond. (They even simplified setting up my suggestion about e-mailing admins when an event occurs, as you'll see.) Click Next to see a figure like Figure 1.15.
First, as with eventtriggers.exe, you can specify any given application. Or you can send an email, or display a message on the server's desktop. I'll consider all three options in a moment, but for now, I'll click the radio button next to "Send an email" and then Next to see something like Figure 1.16.
Figure 1.14: Starting the Create Basic Task Wizard
Figure 1.15: Event viewer offers three kinds of responses
Figure 1.16: Setting up an email notification
This page looks very much as you'd expect, allowing you to punch in a from address, to address, subject and text. It even lets you add an attachment, which is a nice touch, and specify the name of the SMTP server to use to send the e-mail.
If I click Next, I get a summary screen like the one in Figure 1.17.
This is a nice summary of what's going to happen once I click Finish, although truthfully it's not necessary. An administrator can always modify or delete an event task, as you'd expect. Ah, but where you modify or delete that event task, that'll surprise you. When I click Finish, I get the message box in Figure 1.18.
Figure 1.17: Sumarizing the trigger
Figure 1.18: Changes? Off to the task scheduler
This seems like a bad idea to me. Vista's user interface does a fairly decent job of providing what Microsoft has come to like calling "discoverability," which is their recently coined term for "a user interface that makes figuring out what you can do with a GUI program easier." So here you've created an event task in the Event Viewer; you'd think that you could modify or delete it in the Event Viewer. But no, instead Microsoft's got you going to the Task Scheduler to do that.
Check out other excerpts from this chapter of Mark's book, Administering Windows Vista Security: The Big Surprises.
SearchWindowsSecurity.com also features excerpts from chapter eight, "Locking Up the Ports: Windows Firewall", of Mark Minasi's book, Mastering Windows Server 2003 Upgrade Edition for SP1 and R2.
Dig Deeper on Endpoint security management tools