- The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 16, 2003

Windows 2003
Windows 2000
Windows XP
Book Reviews
Career Tools
Device Drivers
Hardware Guides
MCSE Toolkit
Service Packs
  Articles & Whitepapers
  Books on Security
  Disaster Recovery
  FAQ's & Tutorials
  Incident Response
  Intrusion Detection
  Legal Resources
  Online Seminars
  Password Security
  Penetration Testing
  Security Links
  Securing Networks
  Social Engineering














Intrusion Detection Resources

Amidst all of the daily grind of maintaining and upgrading your network, who has time to perform routine security audits, and scour Event Logs? Almost nobody. But installing an intrusion detection system can pay for itself in a very short period of time. This technology is relatively new and is still maturing, so research your solutions careful, and have a plan on how to isolate and track an intruder once you locate one. If you've discovered an intrusion into your network, be sure to check our Incident Response and Computer Forensic Resource Centers for more information.
Recommended Books

Intrusion Detection: Network Security Beyond the Firewall
By Terry Escamilla. Published by John Wiley, Oct 1998. Paperback. ISBN 0471290009. We actually couldn't put this book down, which is rare for a technical book (even for us). A great primer for those new to IT Security, it covers the basics of Computer Security first, introduces common hacker techniques and tools for both UNIX and NT, reviews intrusion detection software and vulnerability scanners, and what to do if you find that you are being hacked. This an excellent book that quickly made it to our favorites list. There is a companion website for the book at

Network Intrusion Detection : An Analyst's Handbook, 2nd Edition
Published by New Riders, Sept 2000. Paperback 430 pages. ISBN 0735710082 Although not written specifically for Windows 2000, this is an excellent and practical technical reference by the developer of the Shadow intrusion detection system. However, it should not be considered to be a primer for the uninitiated, and strong TCP/IP skills are a must if you want to get the most out of this book. Coverage of common attacks, architectural issues, detection of exploits, intelligence gathering, risk management, and tools are excellent. The author also provides plenty of personal anecdotes and samples of real log files throughout the book, making this a valuable resource for Admins who want a real world perspective of intrusion detection.
Where to Start...

An Introduction to Intrusion Detection and Assessment 
By Becky Bace in PDF format.

An Introduction to Intrusion Detection
An article written by Aurobind Sundaram in the Association for Computing Machinery's newsletter Crossroads.

COAST Intrusion Detection Pages
An excellent primer on Intrusion Detection.

FAQ: Network Intrusion Systems
A well done FAQ that covers the core concepts of Intrusion Detection on several operating systems.

Getting the drop on Network Intruders
An overview of Network Intrusion Detection Software by Ellen Messmer. Source: Network World (Oct 4, 1999)

Implementing an Intrusion Detection System
Intrusion detection systems provide security administrators with tools to monitor, detect and respond to security incidents on the network. An IDS is the compilation of technologies and people that work together to provide the ability to identify and respond to malicious activities aimed at networked systems. A high-quality execution methodology will ensure that an IDS solution is implemented appropriately. Source:

Intrusion Detection FAQ
SANS most widely read FAQ -- Intrusion Detection experts share answers to Frequently Asked Questions

Intrusion Detection Software
Learn more about the two most basic types of Intrusion Detection Systems (IDSs), and how you can protect your network from intruders. Source: Windows & .NET Magazine (Dec 2002)

Intrusion Detection Terminology (Part One)
This is the first of a two-part series that discusses IDS terminology, including terms where there may be disagreement from within the security community. Source:

Intrusion Detection Terminology (Part Two)
This is the second and final part of the series that discusses IDS terminology, including terms where there may be disagreement from within the security community. Source:

Managing Intrusions
A brief Whitepaper by Peter Stephenson that covers the basics.

Monitoring and Auditing for End Systems
This document covers policy, goals, and monitoring architecture, with information about event, object, and performance monitoring, references and utilities. Source: Microsoft TechNet CD Online

NSA Glossary of Terms used in Security and Incident Handling
In April of 1998, the NSA completed a glossary of terms used in computer security and intrusion detection. The work, done primarily by Greg Stocksdale of the NSA Information Systems Security Organization, was comprehensive, accurate and useful. Because of the value of a comprehensive glossary, the SANS Institute is making it available for you right here.

Intrusion Detection Web Sites
CSI Intrusion Detection System Resource
The Computer Security Institute is a membership organization that serves and trains IS professionals on how to protect their networks. Although most of their site content is available to members only, some excellent material is available. Check out the CSI Roundtable discussion on present and future intrusion detection systems.

COAST Intrusion Detection Hotlist
An excellent place to delve into the world of intrusion detection.

Intrusion Detection Consortium
The Intrusion Detection Systems Consortium (IDSC) was established in 1998 to provide an open forum in which developers could work toward common goals such as educating end users, creating industry standards, product interoperability, and maintaining product integrity.

SRI/CSL's Intrusion Detection Page
Home of the SRI International Computer Science Laboratory. Lots of whitepapers and other resources, but hasn't been updated since 1997.

Technical Articles, Whitepapers, etc.,

50 ways to defeat your Intrusion Detection System
By Fred Cohen & Associates

Advanced Perimeter Detection and Defense
How can you tell whether your system has been compromised, and what do you do if it has? If you are running a Windows NT or 2000 Web server with Microsoft IIS 4 or 5, this article will show you how to tighten perimeter security with automated tracking and detection techniques. Source: 8 Wire (Jan 31, 2001)

Anatomy of an Intrusion
A great eye-opening article on Intrusions by Greg Shipley, Source: Network Computing's Security Workshop, (Oct 1999)

Can Intrusion Detection Keep an Eye on Your Network's Security?
Catching network and host attacks as they happen isn't always possible with firewalls and other security tools. Intrusion detection can be your eyes and ears throughout the enterprise. Source: Network Magazine (April 1999)

Computer Crime Investigators Toolkit
A 4 part series that devises a summary of basic, practical knowledge, "tricks," if you like, that should interest all computer crime investigators. While they may not be the final word in preparing for an examination, these techniques will provide some insight into the ways and means of computer criminals. Source: EarthWeb

Cracker Tracking: Tighter Security with Intrusion Detection
An Article in BYTE Magazine by Michael Hurwicz. Discusses the differences between host and network based detection systems and does a brief comparison of some of the major products on the market.

Computer Security Incident Handling: Step-by-Step
Advice on how to respond to break-ins and hacker attacks. Source:

Data Mining Approaches for Intrusion Detection
An interesting whitepaper from Columbia University's Computer Science Department

DDOS attacks' ultimate lesson: Secure that infrastructure
By following best of breed security practices, many an e-business could at the least minimize their downtime to 10-15 minutes instead of the 2-4 hour lapses that occurred in the February DDOS attacks on Amazon, Yahoo and e-Bay. Source EarthWeb (Sept 14, 2000)

Detecting unauthorized access with Microsoft Proxy Server
Keep watch for intruders through some of the built-in Proxy Server settings in Microsoft BackOffice. Source EarthWeb (May 12, 2000)

Detecting Signs of Intrusion
From CERT at Carnegie Mellon University

Fast Path to Intrusion Detection and Event Logging
Most network administrators will face a computer security intrusion event sometime during their careers. Having an intrusion detection plan will result in earlier intrusion notification, minimize the consequences, and allow a quicker recovery. Microsoft provides several tools for intrusion detection, including event logging. This document will discuss intrusion detection and some of the Microsoft tools that you can use as part of an intrusion detection plan. Source:
Microsoft Technet

Hacker Alert - Intrusion Detection Software is hot , but can it really stop Hacker's cold?
A hard look at what options are out there, and how they actually function in the real world, Source: Network World, (Sept 27, 1999)

HOW TO: Configure Performance Counters and Logs to Monitor Unauthorized Attempts to Access Your Computer in Windows 2000 Server
Microsoft Knowledge Base Article 300504 - This step-by-step article describes how to use the Performance Logs and Alerts service to create counter logs and alerts to monitor unauthorized attempts to access your computer in Microsoft Windows 2000 Server.

HOW TO: Enable and Apply Security Auditing in Windows 2000 
Microsoft Knowledge Base Article Q300549 - This step-by-step instruction guide describes how to enable and apply Windows security auditing.

HOW TO: Enable Local Security Auditing in Windows 2000 
Microsoft Knowledge Base Article Q248260 - This article describes how to enable local security auditing in Windows 2000. Administrators of local computers can use this method to set up local auditing of security access rights on individual Windows 2000-based computers.

HOW TO: Enable Active Directory Access Auditing in Windows 2000 
Microsoft Knowledge Base Article Q314977 - This step-by-step article describes how to enable Active Directory access auditing in Windows 2000. The Active Directory should be audited to assess when authorized and unauthorized access is attempted. You can configure auditing of the Active Directory database. After you enable auditing, you can view the audit information in the Directory Service log that is located in the Event Viewer. Note that this log is only present on computers that are acting as Active Directory domain controllers. This article describes how you can enable Active Directory for auditing access.

How to Enable User Environment Event Logging in Windows 2000 
Microsoft Knowledge Base Article Q186454 - This article describes how to enable the user environment event logging features available in Windows 2000.

HOW TO: Monitor for Unauthorized User Access in Windows 2000 
Microsoft Knowledge Base Article Q300958 - This article describes how to monitor your system for unauthorized user access. There are two main steps: Enabling security auditing and viewing the security logs. Note that different systems have different security needs, and the security topic is complex. Any user who sets up security audits on your system must be assigned to administrative groups or be given security rights and privileges.

Immediate intrusion detection: Catching hackers red-handed on your web server!
This white paper focuses on how administrators can set up their web servers successfully and safely. Describing the tools used by hackers to gain backdoor access to your IIS web servers, this paper details the necessary steps to detect successful intrusions on your network, as well as explaining how to prevent such attacks to your web server. Source:

Incident Handling
A little planning goes a long way when handling computer break-ins. Source: Network Magazine (Jan 2000)

Intrusion Detection Tools to stop hackers cold
A review of host based monitoring and network based scanners by Ellen Messmer. Source:  Network World, (2/15/99)

Intrusion Detection: The Guard Inside the Gate
A firewall puts a lock on the door. IDS is the watchdog inside. Source EarthWeb (Oct 30, 2000)

Intrusion Today
A small news archive from the NetworkICE corporation

Intrusion Detection and Response
A whitepaper on the viability of Intrusion Detection Systems from National Info-Sec at the Lawrence Livermore National Laboratories

Intrusion Detection provides a pound of prevention
Article by Mark Abene in Network Computing's Security Workshop, August 1997

Intrusion Detection Take 2
A second look at intrusion-detection systems shows that a combination of network-based and host-based technologies is a promising strategy. But is it ready to safeguard your network? Source: Network Computing (Nov 1999)

Passive Network Traffic Analysis: Understanding a Network Through Passive Monitoring
This article will offer a brief overview of passive network monitoring, which can offer a thorough understanding of the network's topology: what services are available, what operating systems are in use, and what vulnerabilities may be exposed on the network. Source: SecurityFocus

Life After IDS
You spent months evaluating, testing, purchasing and deploying your intrusion detection system. Now the fun really begins. Source: Information Security Magazine (September 1999)

Log-based intrusion-detection and -analysis in Windows 2000/NT
This white paper demonstrates that the audit and reporting facilities in Microsoft Windows NT and Microsoft Windows 2000, although a good foundation, fall far short of fulfilling real-life business needs. Therefore, the need exists for a log-based intrusion-detection and -analysis tools. Source:

Personal Firewalls/Intrusion Detection
The complexity of PC operating systems, applications and browsers has contributed to continual discovery of security weaknesses (which the typical user cannot be expected to follow or understand). Until now the standard tool for defending Windows was the Anti-Virus scanner, but this is no longer enough - the Personal Firewall has made its debut and should soon become an essential tool for Windows users connected to hostile networks. Source: Security Portal (July 17, 2000)

Preventing and Detecting Insider Attacks Using IDS
Insider attacks pose unique challenges for security administrators. This article will examine some ways in which intrusion detection systems can be used to help prevent and detect insider attacks. Source:

Responding to Intrusions
From CERT at Carnegie Mellon University

Security Reality Check
Intrusion detection spots bad things happening in your network?..sometimes. Source: Network Magazine (July 1999)

Sniffing out Network Intruders
A Product comparison and introduction to Network Sniffer programs Source: InfoWorld's Test Center. (Feb 1999)

Spotting Intruders
A great article by Brian Robinson. Source: Federal Computer Week, March 1999

To Catch an Internet Thief
Tracking intruders back to their lairs may require an Internet posse. Source: Network Magazine (Feb 1999)

Working with the NT Security Log
By Paul E. Proctor, Windows NT Systems Magazine, Sept 1997

Entire contents
© 1999-2003 and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with The products referenced in this site are provided by parties other than makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.