W2K Auditing Intrusion Detection - PowerPoint PPT Presentation

1 / 59
About This Presentation
Title:

W2K Auditing Intrusion Detection

Description:

Internet Protocol Security (IPSec) Enhanced VPN (L2TP) ... You cannot fix it if you don't know about it ! ... Open Windows Explorer. Locate the File or Folder ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 60
Provided by: macybe
Category:

less

Transcript and Presenter's Notes

Title: W2K Auditing Intrusion Detection


1
W2K Auditing / Intrusion Detection
  • Secure Labs

2
Overview
  • What is Auditing / Effective Auditing
  • Auditing Strategy / Intrusion Detection Strategy
  • W2K Auditing Functionality / Event Logs
  • Audit Policy / Group Policy
  • Types of Auditing
  • Utilities and Tools
  • What to look for ?
  • Questions ?

3
Windows 2000 Security Features
  • Active Directory
  • Kerberose
  • Encrypting File System (EFS)
  • Public Key Certificate Manager
  • Internet Protocol Security (IPSec)
  • Enhanced VPN (L2TP)
  • Enhanced Access Control
  • Enhanced Auditing Subsystem

4
What is Auditing
  • Auditing tracks the activity of users and
    processes by recording selected types of events
    in the logs of a server or workstation.
  • Will provide information required to spot
    attempted attacks, to investigate what happened
    when an incident occurred, and to possibly
    provide evidence in support of an investigation

5
Without Auditing
  • Finding security problems can be difficult if not
    impossible
  • You cannot fix it if you dont know about it !
  • System will remain open or vulnerable to attack

6
What is an Event ?
  • Any significant occurrence in a system that
    requires notification
  • Example
  • Service did not start
  • Driver did not load
  • Information from an application
  • Logon Failure

7
What is Intrusion Detection (ID) ?
  • The ability to detect inappropriate, incorrect,
    or anomalous activity
  • www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

8
Host vs. Network Based ID
  • Host based ID involves loading software(s) on the
    system to be monitored
  • Uses log files or auditing agents for information
  • Network based ID monitors actual network traffic
    (packets)
  • Uses packets as the source of information

9
Effective Auditing
Infrastructure
Security Policy
Execution
10
Lan / Wan (Entry Points)
11
Security Entities (External)
12
Security Entities (Internal)
13
Auditing Strategy
  • Why are you auditing ?
  • Do you need different policy for different
    systems ?
  • Who is responsible for log collection and
    analysis ?
  • Who should have access to the audit logs ?
  • Is the loss of some audit information acceptable ?

14
Auditing Strategy (cont.)
  • Who reviews the logs ? How long should you keep
    them ?
  • What is the escalation procedure should an
    intrusion be detected ?
  • Does the discovery of certain events require
    immediate actions ?
  • Do audit logs need to be collected and analyzed
    centrally ?
  • Will the logs be used for legal action ?

15
Effective Auditing
  • Auditing
  • Vulnerability Management
  • Checking current configuration against a defined
    baseline
  • Threat Management
  • Real-time detection of a threat or actual
    intrusion
  • Collection and Analysis Management
  • Ability to reveal information related to use and
    abuse

16
Effective Auditing (cont.)
  • Too Much Auditing
  • Performance Impact
  • Could hide significant events
  • The first rule in Auditing is Restraint
  • Too Little Auditing
  • Not effective

17
W2K Audit Logs
  • Application
  • System
  • Security
  • Directory Service
  • File Replication
  • DNS Server

18
Audit Log Categories
  • Error
  • Loss of functionality or data, service failure
  • Warning
  • Recoverable events not immediately urgent
  • Information
  • Successful operation (Application, Service or
    Driver)
  • Success Audit
  • Failure Audit

19
W2K Audit Log Properties
  • Group Policy is recommended method to set audit
    log properties
  • Only the Application, System and Security log
    settings can be set via Group Policy
  • Settings include
  • Overwrite events as needed
  • Overwrite events older than x days
  • Do not overwrite events (clear manually)

20
W2K Audit Log Properties (cont.)
  • Halting the system when the Security Log is full
  • If the Security Log reaches maximum size, by
    default the system will stop auditing
  • CrashOnAuditFail
  • Can be used to stop the system (Blue Screen) if
    auditing cannot continue
  • Could result in a Denial of Service
  • An Administrator must sign on to the system,
    backup and clear the audit log then reset the
    registry value
  • Use this option only in the most extreme situation

21
Microsoft Recommendations (Log Size)
22
Event Viewer
  • View audit information for all logs
  • Manage audit logs (View, Export and Archive)
  • Apply filters to current view
  • Configure audit log properties
  • Open saved audit logs (.EVT)

23
Event Log Security
  • Access to the event logs is controlled to prevent
    unauthorized modification or viewing
  • Four Type of Accounts are used for the logs
  • LocalSystem
  • Administrator
  • ServerOperator
  • Everyone

24
Event Log Security (cont.)
LOG Application Access Application LocalSystem
R, W, C Administrator R, W,
C ServerOp R, W, C Everyone R, W
25
Event Log Security (cont.)
LOG Application Access Security LocalSystem R
, W, C Administrator R, C Everyone
26
Event Log Security (cont.)
LOG Application Access System LocalSystem R,
W, C Administrator R, W, C ServerOp R,
C Everyone R
27
Event Log Security (cont.)
  • Only the LocalSystem account can write to the
    Security Log
  • On domain controllers these permissions extend to
    the three additional logs
  • Administrators can only manage the Security Log
    if they have the proper privileges
  • Registry keys can further prevent Guest accounts
    from access (RestrictGuestAccess 1)

28
Configuring Audit Policy
  • Two Stage Process
  • Set high-level audit policy
  • Which events to audit ?
  • Set auditing on specific objects
  • What objects ?
  • No audit policy is turned on by default

29
Configuring Audit Policy (cont.)
  • Event Categories
  • Audit Account Logon Events
  • This will record the success or failure of a user
    to authenticate to the local computer across the
    network
  • Audit Account Management
  • This audits the creation, modification or
    deletion of user accounts or groups

30
Configuring Audit Policy (cont.)
  • Event Categories (cont.)
  • Audit Directory Service Access
  • Administrators can monitor access to Active
    Directory
  • Only available on Domain Controllers
  • Audit Logon Events
  • Records the success or failure of a user to
    interactively log on to the local computer
  • Audit Object Access
  • Records the successful or failed attempts to
    access a specific object such as directory, file
    and printer objects

31
Configuring Audit Policy (cont.)
  • Event Categories (cont.)
  • Audit Policy Change
  • Records any successful or failed attempts to make
    high level changes to security policy including
    privilege assignments and audit policy changes
  • Audit Privilege Use
  • Records all successful and failed attempts to use
    a privilege

32
Configuring Audit Policy (cont.)
  • Event Categories (cont.)
  • Audit Process Tracking
  • Provide detailed tracking information for events
    such as process activation handle dups, indirect
    object access and exits from processes
  • Audit System Events
  • Records events that affect the security of the
    whole system

33
Audit Privileges
  • To be able to implement and configure audit
    policy settings, you must have the following
    privileges
  • Generate Security Audits
  • Allows a process to make entries to the Security
    Log
  • Managing Auditing and Security Log
  • Allows a user to specify object access auditing
    options

34
Group Policy
  • Allows central management of W2K computers
  • Domain Group Policy will override Local Policy
  • Group Policy Objects (GPO)
  • A collection of configuration settings
  • Computer Configuration
  • Settings applied at boot time
  • User Configuration
  • Settings applied at logon time
  • W2K reapplies Group Policy at specified intervals

35
Group Policy (cont.)
  • Hierarchy
  • Apply configuration of local computers GPO
  • Apply configuration of computers site-linked GPO
  • Apply configuration of domain-linked GPO
  • Apply configuration of computers OU-linked GPO
  • GPO settings can conflict, last applied wins
  • Setting can be set to Not Configured

36
Configuring Object Auditing
  • Each object has a Security Descriptor associated
    with it that details the Groups or users that can
    access the object, and the types of access
    granted to those groups and users
    (DACL)-discretionary access control list
  • Each Security descriptor also contains auditing
    information (SACL)-system access control list

37
Auditing File and Folder Objects
  • Must be a NTFS file system
  • Must specify the files or folders to audit
  • Must specify the action that will trigger the
    audit event
  • Must be logged on as a member of the
    Administrators group to enable auditing

38
Type of Folder Access
  • Displaying names of files in the folder
  • Displaying the folders attributes
  • Changing the folders attributes
  • Creating subdirectories and files
  • Going to the folders subdirectories
  • Displaying the folders owners and permissions
  • Deleting the folder
  • Changing the folders permissions
  • Changing the folders ownership

39
Type of File Access
  • Displaying the files data
  • Displaying the files attributes
  • Displaying the files owner and Permissions
  • Changing the file
  • Changing the files attributes
  • Running the file
  • Deleting the file
  • Changing the file permissions
  • Changing the files ownership

40
Setup Auditing on a File or Folder
  • Open Windows Explorer
  • Locate the File or Folder
  • Right Click, Select Properties, Select Security
    Tab
  • Select Advanced, Select Audit Tab
  • Select Add
  • Type the name of the User, Select OK
  • Under Access, Select Successful, Failure or Both
  • To prevent other Folders/Files from inheriting
    these audit entries, Select Apply These
    Auditing Entries to Objects and/or Containers
    Within This Container Only

41
Auditing Printers
  • Options for Print Object Auditing
  • Print
  • Manage Printers
  • Manage Documents
  • Read Permissions
  • Change Permissions
  • Take Ownership

42
Auditing the Registry
  • Options for Registry Auditing
  • Query Value
  • Set Value
  • Create Subkey
  • Enumerate Subkeys
  • Notify
  • Create Link
  • Delete
  • Write DACL
  • Write Owner
  • Read Control

43
Auditing DHCP
  • Windows 2000 Server has enhanced DHCP Auditing
  • Can specify the dir path of the DHCP log files
  • Can specify a maximum size restriction in mb for
    all audit logs managed by the DHCP service
  • Can specify an interval for writes to the audit
    log before checking available disk space
  • Can specify minimum disk requirements to continue
    DHCP auditing
  • Can disable / enable audit logging at each DHCP
    server

44
Auditing Message Queues
  • Audit messages for a single Message Queue object
    get logged on the computer that performs the
    operation. Therefore, audit messages for
    Message Queue objects may be scattered around the
    network
  • Audit messages are only created when a queue is
    accessed, not each time a message is received or
    sent

45
Auditing IPSEC Security
  • Can be filtered using Oakley in the Security log

46
Microsoft Audit Recommendations
  • See Excel Spreadsheet

47
Windows 2000 Resource Kit
  • Error and Event Messages (Help File)
  • Logevent.exe
  • Utility to add entries to the Event Log
  • Cyber Safe Log Analyst
  • Event Log analysis tool w/ reporting
  • W2000events.mdb
  • Access DB of all events for the System, Security
    and Applications logs
  • AuditPol.exe
  • Command line utility to change audit policy

48
Windows 2000 Resource Kit (cont.)
  • Elogdmp.exe
  • Event log query tool
  • Dumpel.exe
  • Event log dump utility w/ filter capabilities
    Dumps to tab separated text file
  • Uptime.exe
  • Event log utility to determine Availability,
    Reliability and current Uptime
  • Can also monitor Service Pack and OS Failures

49
Security Config Analysis Tool
  • The Security Configuration Tool Set allows you to
    configure security, and then perform periodic
    analysis of the system to ensure that the
    configuration remains intact or to make necessary
    changes over time

50
Managing Logs - Export Log
  • Use Event View MMC to export the current view on
    the log to a text file
  • Will use current filter settings

51
Managing Logs - Archive Log
  • If you archive a log in log-file format, you can
    reopen it in Event Viewer. Logs saved as event
    log files (.evt) retain the binary data for each
    event recorded
  • When you archive a log file, the entire log is
    saved, regardless of filtering options
  • The sort order is not retained when logs are
    saved.

52
Managing - Archive Log (cont.)
  • If you archive a log in text or comma-delimited
    format (.txt and .csv, respectively), you can
    reopen the log in other programs such as word
    processing or spreadsheet programs. Logs saved in
    text or comma-delimited format do not retain the
    binary data
  • Archiving has no effect on the current contents
    of the active log

53
Log Monitoring Tools
  • Dorian Software, Event Analyst,
    http//www.doriansoft.com
  • TNT Software, Event Log Monitor,
    http//www.tntsoftware.com
  • Aelita Software, EventAdmin, http//www.aelita.com
  • RippleTech, Logcaster, http//www.rippletech.com
  • Opalis Robot, http//www.opalis.com
  • Argent Software, Guardian, http//www.argentsoftwa
    re.com
  • BindView, http//www.bindview.com
  • BMC Patrol, http//www.bmc.com/patrol
  • NetCool, http//www.micromuse.com/products
  • NetIQ, http//www.netiq.com/products
  • RoboMon, http//www.heroix.com/product_info.htm

54
Event Log - Targeted
  • Event Log cleared at random
  • A manual log should be kept for each server
  • When an event log is cleared, it should
    correspond to an entry in the manual event log
  • Event Log flooding
  • Used to overwhelm the administrator
  • Used as a Denial of Service
  • Sophisticated hackers could write to the security
    log

55
Monitoring the Security Logs
  • Must monitor users that have Admin rights
  • Monitor System Events and Policy Change
    categories to watch for tampering
  • Restarts (Security Event ID 512)
  • Shutdowns (System Event ID 6006 Clean, 6008
    Dirty)
  • Audit Policy Changes (Security Event ID 612)
  • Time Change (Security Event ID 577)

56
Monitoring the Security Logs (cont.)
  • Policy should exist to manage the audit logs
  • Look for manual clear of the audit log (Security
    Event ID 517)
  • Proper policy should make this event rare
  • Logon and Logoff (Successful)
  • Logon uses Event ID 528
  • Local Console Interactive Type 2
  • Drive Map or Network Connect Type 3
  • Batch Logon Type 4
  • Service Logon Type 5
  • Unlocks Wrstn Type 7
  • Logoff uses Event ID 538

57
Monitoring the Security Logs (cont.)
  • Logon and Logoff (Un-successful)
  • Have Event Ids that represent the reason for the
    failure
  • Most common failure
  • Unknown user name or bad password Event ID 529
  • Disabled Account Event ID 531
  • Account Lockout Event ID 539
  • Logon Outside of time allowed Event ID 530
  • Event ID 534 is logged in the case of
    insufficient rights to perform an action such
    as log on at the console or gain access to a
    computer
  • Event ID 537 is a general failure An unexpected
    error occurred during logon
  • Watch for Intrusions by monitoring Event Ids 529
    537 and 539

58
Example Using SQL Server
59
If All Else Fails.
  • And if you wrong us, shall we not revenge ?
  • William Shakespeare
Write a Comment
User Comments (0)
About PowerShow.com