Windows Auditing

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:62

lượt xem

Windows Auditing

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Greetings! This section of the course covers auditing Windows as a method of verifying that your computer systems remain secure. One of the key concepts that we have emphasized throughout this course is in order to have a secure system you must know your system. If you do not understand what is running on your system, how will you be able to secure it? In this module, we give you the information and tools you need to “know thy systems” and therefore secure them.

Chủ đề:

Nội dung Text: Windows Auditing

  1. Windows Auditing Security Essentials The SANS Institute Windows Auditing - SANS ©2001 1 Greetings! This section of the course covers auditing Windows as a method of verifying that your computer systems remain secure. One of the key concepts that we have emphasized throughout this course is in order to have a secure system you must know your system. If you do not understand what is running on your system, how will you be able to secure it? In this module, we give you the information and tools you need to “know thy systems” and therefore secure them. 4-1
  2. Are Cheap Audit Tools a Good Thing? • May be your only option if funds are limited • Tools are cheaper but labor costs can be higher • Can be an effective way to better understand your environment Windows Auditing - SANS ©2001 2 So why have a class on using cheap/free tools to audit a Windows system when there are so many commercial products available? Not all of us work for organizations that can afford the expensive license fees that typically go along with commercial auditing products. While a $200-$1200 license fee may be feasible when you are talking about a few servers, what if you have hundreds of workstations you need to audit as well? The trade off with using cheap tools is that you usually end up with a more labor-intensive auditing process. Instead of a single GUI interface that generates pretty management pie charts, you end up using multiple tools to collect raw data and then end up parsing it yourself. We’ll address this point at the end of the course when we talk about scripting and automating the audit process. There are some tricks you can use to save some time. Ultimately, however, you will end up having to manually review some portion of the audit data you have generated. This is not necessarily a bad thing. One of the problems with a commercial auditing tool is they tend to hide exactly what is going on in the background. By performing a more hands-on audit you will ultimately gain a better understanding of how your systems operate. 4-2
  3. What You Will Need • Windows NT 4.0 or 2000 • Copy of the Windows Resource Kit – carried by most major book stores – subset of tools available for download – • Set of free tools from NTObjectives (now Foundstone): – Windows Auditing - SANS ©2001 3 This slide shows where to retrieve all of the tools covered in this talk. I will also include tools which are part of a standard Windows install, but unfortunately, the stock tools are pretty weak. You need to go grab tools from the locations listed above in order to do any kind of serious auditing. 4-3
  4. List of Resource Kit Tools – dumpel.exe – netsvc.exe – adduser.exe – sysdiff.exe – regdmp.exe – xcacls.exe – perms.exe Windows Auditing - SANS ©2001 4 Many of the tools covered in this class are part of the Windows Resource Kit. This slide shows a list of the files you will want to retrieve from the Resource Kit CD-ROM. In fact, many of them have been updated since the Resource Kit’s release, so it’s a good idea to check the Microsoft FTP site ( to see if updates are available. When using these tools on your own system, you may wish to copy these files into a directory that is already in your path. Or, if you install the full Resource Kit, you may wish to include the install directory in your path statement. This way you do not have to go digging for the files later. However, be sure to set appropriate NTFS permissions on your Resource Kit files and directories so that only authorized users can access them. The Windows Resource Kit has also earned the nickname “Windows Root Kit” because some of these tools can also be useful to attackers. 4-4
  5. List of Freeware Tools • NT Objectives (now Foundstone): – NTLast – afind.exe (from Forensic Toolkit) – sfind.exe (from Forensic Toolkit) – hfind.exe (from Forensic Toolkit) • Somarsoft: – DumpEvt Windows Auditing - SANS ©2001 5 This is the list of freeware tools we will be working with. NT Objectives’ tools can be downloaded from Foundstone ( SomarSoft’s tools can be downloaded from Other third-party freeware and shareware tools exist, but for the purposes of this course, we will be using these tools as examples. 4-5
  6. What is an Audit? • Verification of system integrity • Augment other security precautions – Security is not one stop shopping! • Does not prevent intrusions! – Provide clues when it occurs – Help raise security awareness • Last line of defense Windows Auditing - SANS ©2001 6 An audit, simply put, is the verification of the integrity of a system. When you perform an audit, you are ensuring that only authorized access has taken place and that all changes made to the system are in accordance with your security policy. Auditing should not be considered a replacement for the other security precautions you currently enforce on your network. For example, don’t throw away your password policy just because you are performing regular audits. The old analogy is that security should be like an onion with your data tucked safely away at the center. Think of your security measures as being the different layers of the onion. The more layers you have in place, the safer your data will be. Auditing is simply one of these layers. Its important to keep in mind that auditing does not directly prevent people from attacking your system. It is more of a last line of defense when all other security precautions fail. What this means is that auditing itself will not keep an attacker from entering your system, but it will surely help you find clues to help discover when, how, where, and perhaps who has penetrated your defenses and gained unauthorized access. For example, a strong password policy may help keep an intruder out. But if an intruder is able to get into your system despite your strong password policy, auditing will help you to detect that fact. Auditing is also a very good way of becoming aware of what is “normal” activity for your systems. For example, try the exercise shown in the next slide. 4-6
  7. How Well do you Know your own System? • Open a command prompt • Type: netstat -a |more • Look for lines marked “listening” • These are open service ports • Can you identify them all? Windows Auditing - SANS ©2001 7 In this exercise I want you to open a command prompt on the computer you are currently using. To open a command prompt, go to Start → Run and type cmd.exe. At the command prompt, type the command: netstat –a | more and then press the “Enter” key. Now, take a good look at the output being reported. This is the current connection table for your system. The local address column will show the communication port your system is using, while the foreign address column will identify the name of the remote system as well as the communication port that system is using. If you look at the state column, any connections listed as “established” are active connections. You may also see a few “time wait” or “syn sent” entries. The real interesting entries are the ones labeled “listening”. These are open service ports on your system which are waiting for a remote system to connect to your machine. In other words, there is some active process running on your system that is offering services to any system on the network that tickles this port. The $64,000 question is, “Can you identify each of the processes running on your machine that have opened each of the listed listening ports?” 4-7
  8. Why is TCP/2251 Open? Auditing forces you to figure out what’s going on Windows Auditing - SANS ©2001 8 If you take a look at the slide, you’ll see a screen capture from one of my systems. This computer has four ports listed as “listening”. The last three are used by Windows for file and print sharing but the first entry is an odd ball. I am unaware of any process running on this system that should be listening on TCP port 2251. So why is this port open? Obviously I need to do some investigative work to find out exactly what is running on this machine. A great way to investigate is to go the IANA port assignments link and investigate what ports you are unfamiliar with: This link will point you in the right direction as to what ports are associated to what application to make your auditing easier. This is one of the cool things about auditing, it forces you to look at the system in great detail and come up with a logical explanation for everything you see. An example of this could be if you had Windows file and print sharing enabled on your PC. You would find that NetBIOS would be listening on a few ports like 137, 138, and 139. This is how an attacker could find out that you had file sharing enabled on your PC or worse, your network server on a DMZ. What better way to figure out all of the nuances of how your system functions and learn how to protect it better? 4-8
  9. Why Perform Audits? • Identify when an intrusion occurs • Identify extent of the compromise • Useful when all other security measures fail – Damage control – Document for corrective action and/or legal action Windows Auditing - SANS ©2001 9 So, why perform audits? We perform audits to identify when an intrusion occurs. If an intrusion is detected, our audit is used to then determine what portions of the system have been compromised. For example, did the attacker load up a back door which is now waiting for them to come back in? Did the attacker change or access critical system or data files? In short, our audit should tell use the amount of damage control we need to perform. 4-9
  10. But I Have a Firewall!!! • Most intrusions occur from within • A strong security posture is layered – Single point of failure is “a bad thing” – Backup tapes are a form of layering • FW-1 DNS hole – – What about other products? Windows Auditing - SANS ©2001 10 A common query that I hear is, “But I have a firewall. Why do I need to perform audits?”. To start, there have been quite a few studies that have looked at where attacks originate from; within the compromised network itself or from an outside location such as the Internet. While the statistics vary from study to study, one common thread is that many attacks originate from inside the network perimeter. From a statistical point of view, this means that your firewall has less than a 50% chance of protecting you from possible attack. Further, insider attacks have a higher rate of success because they are carried out by people with inside knowledge about (and often some level of existing access to) your systems, networks, and data. A good security posture is layered; this is also called “defense in depth”, which is learned early on in the security process. This is why we have a firewall, perform auditing, and perform, maintain, and test backups. Firewalls are our first line of defense, auditing could be our next line of defense, and if damage is done and it cannot be fixed, then we can use our backups to restore the system to its original state. We can also use backups to preserve the data for the incident handling team. With backups, it’s not that we need to keep track of yet another copy of our data. Instead we are hedging our bets against hard disk failure, end user mistakes or carelessness, as well as a host of other potentially lethal situations. So, by auditing and performing backups, we are “backing up” the other security measures we have put into place, including the firewall. Again, remember this as being a “defense in depth” situation. One last point on why layered security is important before we move on. Go to the URL indicated in the slide that discusses the Checkpoint Firewall-1 “Invisible Traffic Due to Default Properties Setting” vulnerability. This page documents a security hole with Firewall-1 which showed up in version two and still exists in version four. In short, the default settings of the firewall allow an attacker to pass traffic to internal systems and not have any of the traffic show up in the logs. 4 - 10
  11. Hits Behind the Firewall The Security Logging tab of Windows XP’s firewall allows you to log hits. What does it mean if your system gets hit behind your firewall? Windows Auditing - SANS ©2001 11 Though personal firewalls have been covered in another section of Security Essentials, it wouldn’t hurt to consider what it means from an audit perspective if you find that a system behind the firewall is showing signs of attack. In this case, we see the default screen for the Windows XP personal firewall. Note that the default behavior of the firewall is to deny and that you get to choose to select access. On the next slide, titled Audit XP Firewall Logs, we will see the log format of this firewall. 4 - 11
  12. Audit XP Firewall logs Windows Auditing - SANS ©2001 12 These are pretty standard fields for firewall logs. The first two packets are ICMP type 8, code 0, this is known as an echo request or more commonly, a ping packet. Then we see TCP packets for port 445. This is standard Windows2000/Windows XP behavior (port 445 TCP and UDP, in addition to the standard ports 137 – 139, are used as part of NetBIOS in Win2K and WinXP). With these operating systems, Server Message Block (SMB) runs directly over TCP. From an auditing perspective then, this firewall gives us a lot of information about the packets that are hitting this computer’s network interface. 4 - 12
  13. What’s Makes a Good Audit? • Detailed baseline – Just like a “before” and “after” cartoon – Too much info is just enough – Who cares about successful logons? • Strong verification – Similar to system authentication – File dates and sizes can be altered Windows Auditing - SANS ©2001 13 Let’s take a look at what goes into developing a proper audit . A good audit starts with a detailed baseline. Think of the “before” and “after” cartoons you see in the Sunday comics and you’ll get the idea. Your baseline is similar to the “before” picture and will be used as a reference to tell you if anything about your system has changed. You want to collect as much data as possible. As an example, think about successful logons. Logic tells us that if a potential intruder starts whacking away at the system with a dictionary attack, they are going to generate failed logon attempts. So why not simply log failed logons instead of having to sort though all of the successful logons as well? As an example, let’s say you look at your log and see that someone has been beating up on Bob’s logon account. There are quite a few failed logons that show up in the logs but these eventually stop. If you are not tracking successful logon attempts as well, you have no way of knowing if the attacker actually got in or decided to go play elsewhere. In other words, you know you’ve been attacked but you can’t say for sure whether the attacker actually got in. One thing to keep in mind when determining what information should be included in your baseline is, how accurately can you verify the data? For example, file date and time stamps can easily be changed. Log entries which are stored on a compromised system can also be changed. This means that any information you derive from these sources should be considered questionable and verified through some other means. 4 - 13
  14. What Makes a Good Audit? (2) • A written procedure – scope, frequency, responsibility – What is considered “normal” data – What to do when intrusions are found – Detailed disaster recovery plan – Could your boss follow the procedure and perform a good audit? Windows Auditing - SANS ©2001 14 One component of a good audit is a well-documented procedure. A procedure ensures that audits are performed in a consistent manner. For example, you don’t want to find out later that Admin Mary takes the time to look at open/listening ports while Admin Bob does not bother. Your procedure should clearly indicate what should be checked, how it should be checked, and how often. Your written procedure should cover the following topics and ask the following questions: Scope, Frequency, Responsibility: What is the scope of the auditing procedure? What should be audited and when? Who has ultimate responsibility for the audit? Do you have a backup person who can perform the same audit? What is Considered “Normal” Data: In order to know whether anything on your system has changed, you need to know what the existing or “normal” state of your system is. This may involve creating snapshots or baselines of different information about your system, and then re-baselining your system over time to see what may have changed. What to do When Intrusions are Found: The point in time when you find a problem is not the time to decide what to do about it. Make sure your policy states clearly what actions need to take place, and in what order, including who to call, what to do, and what not to do. Detailed Disaster Recovery Plan: If the worst happens and you have to rebuild from scratch, you need to know how to do it. This part of your document should contain detailed system configuration information, a list of installed software, and any special instructions regarding configuration, load order, or special procedures to restore from backup. The specifics will vary based on your policies, the role of the server, etc., but the more detail the better. The time when you’re really depending on your recovery process is not the time to find out you don’t know how to do it, or that it doesn’t work. Could Your Boss Follow the Procedure and Perform a Good Audit? The mark of any good written procedure is that it is easy to follow. If you can hand your audit procedure over to your boss and they can perform a successful audit, you know you are on the right track. Armed with this plan, you are well on your way to performing great auditing. 4 - 14
  15. What’s Included in a Good Audit? • As few clues as possible that regular audits are performed – Don’t leave tools on the system! • Burn your tools to a CD – Use a secured system for data review – Vary the times an audit is performed – Let your foe underestimate you Windows Auditing - SANS ©2001 15 A good audit should leave as few clues as possible that a regular audit is being performed. Armed with the knowledge of what you audit and how, a potential attacker will take steps to try to cover their tracks. Obviously this is a bit of “security through obscurity” but the less information your attacker has, the more likely they will trip up and you will catch them. Also, make sure you secure the tools you use when performing your audits. I personally like to burn a CD-ROM which includes a copy of all my tools as well as the baseline for each of my machines. This insures that I do not have to worry about an attacker replacing them with tools or data that will help to cover their tracks. 4 - 15
  16. What’s Included in a Good Audit? (2) • Who has accessed the system? – Share access, Web, FTP, DNS, etc. • What ports are being serviced? • Additional services, drivers, or tasks running on the machine? • User/group or permission changes? • Unexpected files/registry changes? Windows Auditing - SANS ©2001 16 These are some of the types of information you may wish to include in your audit. Obviously one of the first things you want to check is your access logs. Don’t limit the scope to just your Windows Event Viewer logs. Make sure you include the logs for any active service or application running on the machine; some of these will generate their own logs outside of Event Viewer (Internet Information Server is a notable example). Remember that network services leave listening ports open, so any of these could be a potential portal into your machine. 4 - 16
  17. Working With Event Viewer • Part of Administrative Tools group • Central logging utility for Windows – Not all applications use Event Viewer • IIS logs to WINNT\system32\LogFiles • Proxy logs to WINNT\system32\msplogs • Windows does minimal logging by default and saves minimal data Windows Auditing - SANS ©2001 17 It is now time to get into the nitty-gritty of performing our audit by looking at the Windows Event Viewer utility. Event Viewer can be found in the Administrative Tools group of your Windows system (Start → Programs → Administrative Tools → Event Viewer). It is an MMC snap-in under Windows 2000, and a stand-alone utility in Windows NT. Event Viewer is the central logging utility of any Windows system. Most applications, including the operating system itself, log events to one of Event Viewer’s three default logs. These logs are System, Security, and Application. Obviously most of the information we will be working with shows up in the security log. Windows 2000 Server systems add specific logs for DNS (if installed) and Directory Services (if installed), but for our purposes we’ll focus on the first three. One of the problems with Windows is that the default log settings are pretty poor. The Security log is not even enabled by default. In addition, the default log size and log behavior are set to record only a minimal amount of data. The default log size is only 512KB, and the default behavior is for Windows to overwrite log data that is more than seven days old if the logs are not cleared. You will want to adjust these settings based on the amount of data you log on a regular basis (log size) and how frequently you archive the log files (overwrite behavior). If you find the default settings are inappropriate for your environment, then from the Event Viewer select the log you want to modify, and select Action, Properties from the menu (File, Properties in Windows NT). This will produce a dialog box similar to the one shown in the next slide. 4 - 17
  18. Windows 2000 Log Properties Windows Auditing - SANS ©2001 18 One of the first things I like to do is bump up the maximum size of each of the logs to 8 MB. Disk space is cheap. What better way to use it than to keep track of your system’s health? Note that when you change the log size it only effects a single log. With NT this will be whichever log is shown in the “Change settings for” display. With Windows 2000, it will be whichever log you had highlighted prior to selecting Properties. Now take a look at event log wrapping. By default, Windows will overwrite events older than seven days if the maximum log size is reached. The “as needed” option will let Windows overwrite entries as needed, regardless of how recent the log data is. The last setting never overwrites entries and requires you to clear the log manually. Which setting to use is a judgment call on your part. Obviously from a security perspective the “do not overwrite” setting is best. In Windows 2000, you can also set these parameters through the Domain Security Policy Group Policy Object. 4 - 18
  19. Windows NT Log Properties Windows Auditing - SANS ©2001 19 The Windows NT log file settings dialog box has the same options as Windows 2000, though presented in a different format. 4 - 19
  20. How do you Enable Auditing? Windows Auditing - SANS ©2001 20 Once you have your log settings tweaked, you will want to enable auditing. Before you implement auditing, you should decide on an auditing policy that specifies the categories of security-related events that you wish to audit. When Windows is first installed, all auditing categories are turned off. By turning on various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. With Windows 2000, you can also use the built-in security templates that are included as part of the Security Configuration and Analysis snap-in to the MMC. Some of these templates include pre-configured audit settings. In Windows 2000, you configure auditing through the Local Security Policy (on a single system) or Group Policy (for multiple systems). (On Windows NT, go to User Manager and select Policies → Audit.) Once you are there, select the category of events that you would like to audit, and right click it. Select Security and a new dialog box will open with options to audit “success” and “failure” attempts on whatever you selected. This is very similar to the NT version but again, it is located within the MMC and is much easier to manage. At a minimum, you will probably want to track logons and policy changes for both success and failure events. If you choose to audit object access as part of your audit policy, you must turn on either the “Audit directory service access” category (for auditing objects in Active Directory), or the “Audit object access” category (for auditing files, printers, registry keys). Once you have enabled the correct category, you must use each individual object's Properties to specify what type of access should be audited (read, write, delete, change permissions…), which users and groups should be audited, and whether to audit success or failure events, or both. 4 - 20
Đồng bộ tài khoản