Windows Auditing

Chia sẻ: Huy Hoang | Ngày: | Loại File: PDF | Số trang:62

0
75
lượt xem
10

Windows Auditing

Mô tả tài liệu

Greetings! This section of the course covers auditing Windows as a method of verifying that your computer systems remain secure. One of the key concepts that we have emphasized throughout this course is in order to have a secure system you must know your system. If you do not understand what is running on your system, how will you be able to secure it? In this module, we give you the information and tools you need to “know thy systems” and therefore secure them.

Chủ đề:

Bình luận(0)

Lưu

Nội dung Text: Windows Auditing

1. Windows Auditing Security Essentials The SANS Institute Windows Auditing - SANS ©2001 1 Greetings! This section of the course covers auditing Windows as a method of verifying that your computer systems remain secure. One of the key concepts that we have emphasized throughout this course is in order to have a secure system you must know your system. If you do not understand what is running on your system, how will you be able to secure it? In this module, we give you the information and tools you need to “know thy systems” and therefore secure them. 4-1
2. Are Cheap Audit Tools a Good Thing? • May be your only option if funds are limited • Tools are cheaper but labor costs can be higher • Can be an effective way to better understand your environment Windows Auditing - SANS ©2001 2 So why have a class on using cheap/free tools to audit a Windows system when there are so many commercial products available? Not all of us work for organizations that can afford the expensive license fees that typically go along with commercial auditing products. While a $200-$1200 license fee may be feasible when you are talking about a few servers, what if you have hundreds of workstations you need to audit as well? The trade off with using cheap tools is that you usually end up with a more labor-intensive auditing process. Instead of a single GUI interface that generates pretty management pie charts, you end up using multiple tools to collect raw data and then end up parsing it yourself. We’ll address this point at the end of the course when we talk about scripting and automating the audit process. There are some tricks you can use to save some time. Ultimately, however, you will end up having to manually review some portion of the audit data you have generated. This is not necessarily a bad thing. One of the problems with a commercial auditing tool is they tend to hide exactly what is going on in the background. By performing a more hands-on audit you will ultimately gain a better understanding of how your systems operate. 4-2
3. What You Will Need • Windows NT 4.0 or 2000 • Copy of the Windows Resource Kit – carried by most major book stores – subset of tools available for download – www.microsoft.com/windows/default.asp • Set of free tools from NTObjectives (now Foundstone): – www.foundstone.com/rdlabs/tools.php Windows Auditing - SANS ©2001 3 This slide shows where to retrieve all of the tools covered in this talk. I will also include tools which are part of a standard Windows install, but unfortunately, the stock tools are pretty weak. You need to go grab tools from the locations listed above in order to do any kind of serious auditing. 4-3
4. List of Resource Kit Tools – dumpel.exe – netsvc.exe – adduser.exe – sysdiff.exe – regdmp.exe – xcacls.exe – perms.exe Windows Auditing - SANS ©2001 4 Many of the tools covered in this class are part of the Windows Resource Kit. This slide shows a list of the files you will want to retrieve from the Resource Kit CD-ROM. In fact, many of them have been updated since the Resource Kit’s release, so it’s a good idea to check the Microsoft FTP site (ftp://ftp.microsoft.com/reskit/) to see if updates are available. When using these tools on your own system, you may wish to copy these files into a directory that is already in your path. Or, if you install the full Resource Kit, you may wish to include the install directory in your path statement. This way you do not have to go digging for the files later. However, be sure to set appropriate NTFS permissions on your Resource Kit files and directories so that only authorized users can access them. The Windows Resource Kit has also earned the nickname “Windows Root Kit” because some of these tools can also be useful to attackers. 4-4
5. List of Freeware Tools • NT Objectives (now Foundstone): – NTLast – afind.exe (from Forensic Toolkit) – sfind.exe (from Forensic Toolkit) – hfind.exe (from Forensic Toolkit) • Somarsoft: – DumpEvt Windows Auditing - SANS ©2001 5 This is the list of freeware tools we will be working with. NT Objectives’ tools can be downloaded from Foundstone (www.foundstone.com). SomarSoft’s tools can be downloaded from www.somarsoft.com. Other third-party freeware and shareware tools exist, but for the purposes of this course, we will be using these tools as examples. 4-5
7. How Well do you Know your own System? • Open a command prompt • Type: netstat -a |more • Look for lines marked “listening” • These are open service ports • Can you identify them all? Windows Auditing - SANS ©2001 7 In this exercise I want you to open a command prompt on the computer you are currently using. To open a command prompt, go to Start → Run and type cmd.exe. At the command prompt, type the command: netstat –a | more and then press the “Enter” key. Now, take a good look at the output being reported. This is the current connection table for your system. The local address column will show the communication port your system is using, while the foreign address column will identify the name of the remote system as well as the communication port that system is using. If you look at the state column, any connections listed as “established” are active connections. You may also see a few “time wait” or “syn sent” entries. The real interesting entries are the ones labeled “listening”. These are open service ports on your system which are waiting for a remote system to connect to your machine. In other words, there is some active process running on your system that is offering services to any system on the network that tickles this port. The \$64,000 question is, “Can you identify each of the processes running on your machine that have opened each of the listed listening ports?” 4-7
9. Why Perform Audits? • Identify when an intrusion occurs • Identify extent of the compromise • Useful when all other security measures fail – Damage control – Document for corrective action and/or legal action Windows Auditing - SANS ©2001 9 So, why perform audits? We perform audits to identify when an intrusion occurs. If an intrusion is detected, our audit is used to then determine what portions of the system have been compromised. For example, did the attacker load up a back door which is now waiting for them to come back in? Did the attacker change or access critical system or data files? In short, our audit should tell use the amount of damage control we need to perform. 4-9