W2K Auditing / Intrusion Detection

W2K Auditing / Intrusion Detection

W2K Auditing / Intrusion Detection Secure Labs Overview What is Auditing / Effective Auditing Auditing Strategy / Intrusion Detection Strategy W2K Auditing Functionality / Event Logs

Audit Policy / Group Policy Types of Auditing Utilities and Tools What to look for ? Questions ? Windows 2000 Security Features Active Directory

Kerberose Encrypting File System (EFS) Public Key Certificate Manager Internet Protocol Security (IPSec) Enhanced VPN (L2TP) Enhanced Access Control Enhanced Auditing Subsystem What is Auditing Auditing tracks the activity of users and processes by recording selected types of events in the logs of a server or workstation. Will provide information required to spot attempted attacks, to investigate what happened when an incident occurred, and to possibly provide evidence

in support of an investigation Without Auditing Finding security problems can be difficult if not impossible You cannot fix it if you dont know about it ! System will remain open or vulnerable to attack What is an Event ? Any significant occurrence in a system that requires notification

Example Service did not start Driver did not load Information from an application Logon Failure What is Intrusion Detection (ID) ? The ability to detect inappropriate, incorrect, or anomalous activity www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

Host vs. Network Based ID Host based ID involves loading software(s) on the system to be monitored Uses log files or auditing agents for information Network based ID monitors actual network traffic (packets) Uses packets as the source of information

Effective Auditing Infrastructure Security Policy Execution Lan / Wan (Entry Points) Security Entities (External) Security Entities (Internal) Auditing Strategy Why

are you auditing ? Do you need different policy for different systems ? Who is responsible for log collection and analysis ? Who should have access to the audit logs ? Is the loss of some audit information acceptable ? Auditing Strategy (cont.) Who reviews the logs ? How long should you keep them ? What is the escalation procedure should an intrusion be

detected ? Does the discovery of certain events require immediate actions ? Do audit logs need to be collected and analyzed centrally ? Will the logs be used for legal action ? Effective Auditing Auditing Vulnerability Management Checking Threat Management Real-time

current configuration against a defined baseline detection of a threat or actual intrusion Collection and Analysis Management Ability to reveal information related to use and abuse Effective Auditing (cont.) Too

Performance Impact Could hide significant events The first rule in Auditing is Restraint Too Much Auditing Little Auditing Not effective W2K Audit Logs Application System Security

Directory Service File Replication DNS Server Audit Log Categories Error Loss of functionality or data, service failure Warning Recoverable events; not immediately urgent

Information Successful operation (Application, Service or Driver) Success Audit Failure Audit W2K Audit Log Properties Group Policy is recommended method to set audit log properties Only the Application, System and Security log settings can be set via Group Policy

Settings include; Overwrite events as needed Overwrite events older than x days Do not overwrite events (clear manually) W2K Audit Log Properties (cont.) Halting the system when the Security Log is full If the Security Log reaches maximum size, by default the

system will stop auditing CrashOnAuditFail Can be used to stop the system (Blue Screen) if auditing cannot continue Could result in a Denial of Service An Administrator must sign on to the system, backup and clear the audit log then reset the registry value Use this option only in the most extreme situation Microsoft Recommendations (Log Size) Log Domain Control

File / Print DataBase Web Server Ras Server Wrkstn Security 5-10 mb

2-4 mb 2-4 mb 2-4 mb 5-10 mb 1 mb System 1-2 mb 1-2 mb

1-2 mb 1-2 mb 1-2 mb 1 mb Apps 1-2 mb 1-2 mb 1-2 mb 1-2 mb

1-2 mb 1 mb Event Viewer View audit information for all logs Manage audit logs (View, Export and Archive) Apply filters to current view Configure audit log properties Open saved audit logs (.EVT) Event Log Security Access

to the event logs is controlled to prevent unauthorized modification or viewing Four Type of Accounts are used for the logs; LocalSystem Administrator ServerOperator Everyone Event Log Security (cont.) LOG Application

Access Application LocalSystem R, W, C Administrator R, W, C ServerOp R, W, C

Everyone R, W Event Log Security (cont.) LOG Application Access Security LocalSystem R, W, C

Administrator R, C Everyone Event Log Security (cont.) LOG Application Access System LocalSystem

R, W, C Administrator R, W, C ServerOp R, C Everyone R Event Log Security (cont.) Only

the LocalSystem account can write to the Security Log On domain controllers these permissions extend to the three additional logs Administrators can only manage the Security Log if they have the proper privileges Registry keys can further prevent Guest accounts from access (RestrictGuestAccess = 1) Configuring Audit Policy Two Stage Process Set high-level audit policy Which

events to audit ? Set auditing on specific objects What No objects ? audit policy is turned on by default Configuring Audit Policy (cont.) Event

Categories Audit Account Logon Events This will record the success or failure of a user to authenticate to the local computer across the network Audit Account Management This audits the creation, modification or deletion of user accounts or groups

Configuring Audit Policy (cont.) Event Categories (cont.) Audit Directory Service Access Administrators can monitor access to Active Directory Only available on Domain Controllers Audit Logon Events Records the success or failure of a user to interactively log on to

the local computer Audit Object Access Records the successful or failed attempts to access a specific object such as directory, file and printer objects Configuring Audit Policy (cont.) Event Categories (cont.) Audit Policy Change

Records any successful or failed attempts to make high level changes to security policy including privilege assignments and audit policy changes Audit Privilege Use Records all successful and failed attempts to use a privilege Configuring Audit Policy (cont.) Event

Categories (cont.) Audit Process Tracking Provide detailed tracking information for events such as process activation handle dups, indirect object access and exits from processes Audit System Events Records events that affect the security of the whole system Audit Privileges

To be able to implement and configure audit policy settings, you must have the following privileges; Generate Security Audits Allows a process to make entries to the Security Log Managing Auditing and Security Log Allows a user to specify object access auditing options

Group Policy Allows central management of W2K computers Domain Group Policy will override Local Policy Group Policy Objects (GPO) A collection of configuration settings Computer Settings applied at boot time User

W2K Configuration Configuration Settings applied at logon time reapplies Group Policy at specified intervals Group Policy (cont.) Hierarchy

Apply configuration of local computers GPO Apply configuration of computers site-linked GPO Apply configuration of domain-linked GPO Apply configuration of computers OU-linked GPO GPO settings can conflict, last applied wins Setting can be set to Not Configured Configuring Object Auditing Each object has a Security Descriptor associated with it that details the Groups or users that can access the object, and the types of access granted

to those groups and users (DACL)-discretionary access control list Each Security descriptor also contains auditing information (SACL)-system access control list Auditing File and Folder Objects Must be a NTFS file system Must specify the files or folders to audit Must specify the action that will trigger the audit event Must be logged on as a member of the Administrators group to enable auditing Type of Folder Access

Displaying names of files in the folder Displaying the folders attributes Changing the folders attributes Creating subdirectories and files Going to the folders subdirectories Displaying the folders owners and permissions Deleting the folder Changing the folders permissions

Changing the folders ownership Type of File Access Displaying the files data Displaying the files attributes Displaying the files owner and Permissions Changing the file

Changing the files attributes Running the file Deleting the file Changing the file permissions Changing the files ownership Setup Auditing on a File or Folder Open Windows Explorer

Locate the File or Folder Right Click, Select Properties, Select Security Tab Select Advanced, Select Audit Tab Select Add Type the name of the User, Select OK Under Access, Select Successful, Failure or Both To prevent other Folders/Files from inheriting these audit entries, Select Apply These Auditing Entries to Objects and/or Containers Within This Container Only Auditing Printers Options

for Print Object Auditing Print Manage Printers Manage Documents Read Permissions Change Permissions Take Ownership Auditing the Registry Options for Registry Auditing

Query Value Set Value Create Subkey Enumerate Subkeys Notify Create Link Delete Write DACL

Write Owner Read Control Auditing DHCP Windows 2000 Server has enhanced DHCP Auditing Can specify the dir path of the DHCP log files Can specify a maximum size restriction in mb for all audit logs managed by the DHCP service Can specify an interval for writes to the audit log before checking

available disk space Can specify minimum disk requirements to continue DHCP auditing Can disable / enable audit logging at each DHCP server Auditing Message Queues Audit messages for a single Message Queue object get logged on the computer that performs the operation. Therefore, audit messages for Message Queue objects may be scattered around the network Audit messages are only created when a queue is accessed, not each time a message is received or sent Auditing IPSEC Security

Can be filtered using Oakley in the Security log Microsoft Audit Recommendations See Excel Spreadsheet Windows 2000 Resource Kit

Error and Event Messages (Help File) Logevent.exe Utility to add entries to the Event Log Cyber Safe Log Analyst Event Log analysis tool w/ reporting W2000events.mdb Access DB of all events for the System, Security and Applications logs AuditPol.exe Command line utility to change audit policy Windows 2000 Resource Kit (cont.)

Elogdmp.exe Dumpel.exe Event log query tool Event log dump utility w/ filter capabilities; Dumps to tab separated text file Uptime.exe

Event log utility to determine Availability, Reliability and current Uptime Can also monitor Service Pack and OS Failures Security Config & Analysis Tool The Security Configuration Tool Set allows you to configure security, and then perform periodic analysis of the system to ensure that the configuration remains intact or to make necessary changes over time Managing Logs - Export Log Use Event View MMC to export the current view on

the log to a text file Will use current filter settings Managing Logs - Archive Log If you archive a log in log-file format, you can reopen it in Event Viewer. Logs saved as event log files (*.evt) retain the binary data for each event recorded When you archive a log file, the entire log is saved, regardless of filtering options The sort order is not retained when logs are saved. Managing - Archive Log (cont.) If

you archive a log in text or comma-delimited format (*.txt and *.csv, respectively), you can reopen the log in other programs such as word processing or spreadsheet programs. Logs saved in text or comma-delimited format do not retain the binary data Archiving has no effect on the current contents of the active log Log Monitoring Tools

Dorian Software, Event Analyst, http://www.doriansoft.com TNT Software, Event Log Monitor, http://www.tntsoftware.com Aelita Software, EventAdmin, http://www.aelita.com RippleTech, Logcaster, http://www.rippletech.com Opalis Robot, http://www.opalis.com Argent Software, Guardian, http://www.argentsoftware.com BindView, http://www.bindview.com BMC Patrol, http://www.bmc.com/patrol NetCool, http://www.micromuse.com/products NetIQ, http://www.netiq.com/products RoboMon, http://www.heroix.com/product_info.htm

Event Log - Targeted Event A manual log should be kept for each server When an event log is cleared, it should correspond to an entry in the manual event log Event Log cleared at random Log flooding

Used to overwhelm the administrator Used as a Denial of Service Sophisticated hackers could write to the security log Monitoring the Security Logs Must monitor users that have Admin rights Monitor System Events and Policy Change categories to watch for tampering Restarts (Security Event ID 512)

Shutdowns (System Event ID 6006 Clean, 6008 Dirty) Audit Policy Changes (Security Event ID 612) Time Change (Security Event ID 577) Monitoring the Security Logs (cont.) Policy should exist to manage the audit logs Look for manual clear of the audit log (Security Event ID 517) Proper policy should make this event rare Logon and Logoff (Successful)

Logon uses Event ID 528 Local Console Interactive = Type 2 Drive Map or Network Connect = Type 3 Batch Logon = Type 4 Service Logon = Type 5 Unlocks Wrstn = Type 7 Logoff uses Event ID 538 Monitoring the Security Logs (cont.)

Logon and Logoff (Un-successful) Have Event Ids that represent the reason for the failure Most common failure Unknown user name or bad password Event ID 529 Disabled Account = Event ID 531 Account Lockout = Event ID 539 Logon Outside of time allowed = Event ID 530

Event ID 534 is logged in the case of insufficient rights to perform an action; such as log on at the console or gain access to a computer Event ID 537 is a general failure An unexpected error occurred during logon Watch for Intrusions by monitoring Event Ids 529 537 and 539 Example Using SQL Server If All Else Fails. And if you wrong us, shall we not revenge ? William Shakespeare

Recently Viewed Presentations

  • English 10 Honors Day 1 - avon-schools.org

    English 10 Honors Day 1 - avon-schools.org

    OPTIC Strategy. used to analyze visuals. process . O = overview . P= parts . T= title . I= Interrelatinships . C= conclusion . As we go over the grammar concepts, take notes. Be sure you understand how to identify...
  • Key Stage 1 SATS 2016 - Valence Primary School

    Key Stage 1 SATS 2016 - Valence Primary School

    Valence Primary School SATS2017. In the summer term 2017, children at the end of Key Stage 1 will sit SATs papers. SATs have been overhauled in both Key Stage 1 and Key Stage 2 to reflect the changes to the...
  • Medical Imaging  Simultaneous measurements on a spatial grid.

    Medical Imaging Simultaneous measurements on a spatial grid.

    Medical Imaging Simultaneous measurements on a spatial grid. Many modalities: mainly EM radiation and sound.
  • Unit 1: Biological Diversity - Sign In

    Unit 1: Biological Diversity - Sign In

    Unit 1: Biological Diversity. 2.0 As species reproduce, characteristics are passed from parents to offspring. 3.0 DNA is the inherited material responsible for variation. 1.0 Biological Diversity is reflected in the variety of life on Earth. 4.0 Human activity affects...
  • So What Can We Do? A Counter- Jihad

    So What Can We Do? A Counter- Jihad

    -Option 2- a trade-off of subjugation under despots for subjugation under Islamists. Islamists continue to use the concept of Abrogation, where Mohamed's more hostile/intolerant teachings in Medina cancel out the earlier more tolerant Mecca guidelines, to gain traction in radicalizing...
  • Digestive System Organs

    Digestive System Organs

    Lingual lipase. Salivary Glands. More . Secretions-Lysozyme- antibacterial. Lingual lipase- triglycerides in to fatty acids and monoglycerides (not activated until stomach is acidic) 2.Pharynx. Primary organ- passageway for food, liquid, and air.
  • ACO Lunchtime Information Session Spring 2013

    ACO Lunchtime Information Session Spring 2013

    ACO Lunchtime Information Session Spring 2013. Aug, 2013. 12 noon-1:00 pm. Lisa Tomalty. Julia Yaroshinsky. Agenda. Office 2013 (Julia) Intro and deployment information. New ACO site - on WCMS (Julia) Location - how to find things. Important pages.
  • Approach to Hematuria and Proteinuria in Children

    Approach to Hematuria and Proteinuria in Children

    Approach to Hematuria and Proteinuria in Children Adi Alherbish Objectives To be able to define and recognize hematuria and proteinuria To be able to generate a differential diagnosis of the commonest and most serious causes of hematuria and proteinuria To...