4 - 1 Windows Auditing - SANS ©2001 1 Windows Auditing Security Essentials The SANS Institute Greetings! This section of the course covers auditing Windows as a method of verifying that your computer systems remain secure. One of the key concepts that we have emphasized throughout this course is in order to have a secure system you must know your system. If you do not understand what is running on your system, how will you be able to secure it? In this module, we give you the information and tools you need to “know thy systems” and therefore secure them. 4 - 2 Windows Auditing - SANS ©2001 2 Are Cheap Audit Tools a Good Thing? • May be your only option if funds are limited • Tools are cheaper but labor costs can be higher • Can be an effective way to better understand your environment So why have a class on using cheap/free tools to audit a Windows system when there are so many commercial products available? Not all of us work for organizations that can afford the expensive license fees that typically go along with commercial auditing products. While a $200-$1200 license fee may be feasible when you are talking about a few servers, what if you have hundreds of workstations you need to audit as well? The trade off with using cheap tools is that you usually end up with a more labor-intensive auditing process. Instead of a single GUI interface that generates pretty management pie charts, you end up using multiple tools to collect raw data and then end up parsing it yourself. We’ll address this point at the end of the course when we talk about scripting and automating the audit process. There are some tricks you can use to save some time. Ultimately, however, you will end up having to manually review some portion of the audit data you have generated. This is not necessarily a bad thing. One of the problems with a commercial auditing tool is they tend to hide exactly what is going on in the background. By performing a more hands-on audit you will ultimately gain a better understanding of how your systems operate. 4 - 3 Windows Auditing - SANS ©2001 3 What You Will Need • Windows NT 4.0 or 2000 • Copy of the Windows Resource Kit – carried by most major book stores – subset of tools available for download – www.microsoft.com/windows/default.asp • Set of free tools from NTObjectives (now Foundstone): – www.foundstone.com/rdlabs/tools.php This slide shows where to retrieve all of the tools covered in this talk. I will also include tools which are part of a standard Windows install, but unfortunately, the stock tools are pretty weak. You need to go grab tools from the locations listed above in order to do any kind of serious auditing. 4 - 4 Windows Auditing - SANS ©2001 4 List of Resource Kit Tools –dumpel.exe –netsvc.exe –adduser.exe –sysdiff.exe –regdmp.exe –xcacls.exe –perms.exe Many of the tools covered in this class are part of the Windows Resource Kit. This slide shows a list of the files you will want to retrieve from the Resource Kit CD-ROM. In fact, many of them have been updated since the Resource Kit’s release, so it’s a good idea to check the Microsoft FTP site (ftp://ftp.microsoft.com/reskit/) to see if updates are available. When using these tools on your own system, you may wish to copy these files into a directory that is already in your path. Or, if you install the full Resource Kit, you may wish to include the install directory in your path statement. This way you do not have to go digging for the files later. However, be sure to set appropriate NTFS permissions on your Resource Kit files and directories so that only authorized users can access them. The Windows Resource Kit has also earned the nickname “Windows Root Kit” because some of these tools can also be useful to attackers. 4 - 5 Windows Auditing - SANS ©2001 5 List of Freeware Tools • NT Objectives (now Foundstone): –NTLast –afind.exe (from Forensic Toolkit) –sfind.exe (from Forensic Toolkit) –hfind.exe (from Forensic Toolkit) • Somarsoft: –DumpEvt This is the list of freeware tools we will be working with. NT Objectives’ tools can be downloaded from Foundstone (www.foundstone.com ). SomarSoft’s tools can be downloaded from www.somarsoft.com. Other third-party freeware and shareware tools exist, but for the purposes of this course, we will be using these tools as examples. 4 - 6 Windows Auditing - SANS ©2001 6 What is an Audit? • Verification of system integrity • Augment other security precautions – Security is not one stop shopping! • Does not prevent intrusions! – Provide clues when it occurs – Help raise security awareness • Last line of defense An audit, simply put, is the verification of the integrity of a system. When you perform an audit, you are ensuring that only authorized access has taken place and that all changes made to the system are in accordance with your security policy. Auditing should not be considered a replacement for the other security precautions you currently enforce on your network. For example, don’t throw away your password policy just because you are performing regular audits. The old analogy is that security should be like an onion with your data tucked safely away at the center. Think of your security measures as being the different layers of the onion. The more layers you have in place, the safer your data will be. Auditing is simply one of these layers. Its important to keep in mind that auditing does not directly prevent people from attacking your system. It is more of a last line of defense when all other security precautions fail. What this means is that auditing itself will not keep an attacker from entering your system, but it will surely help you find clues to help discover when, how, where, and perhaps who has penetrated your defenses and gained unauthorized access. For example, a strong password policy may help keep an intruder out. But if an intruder is able to get into your system despite your strong password policy, auditing will help you to detect that fact. Auditing is also a very good way of becoming aware of what is “normal” activity for your systems. For example, try the exercise shown in the next slide. 4 - 7 Windows Auditing - SANS ©2001 7 How Well do you Know your own System? • Open a command prompt •Type: netstat -a |more • Look for lines marked “listening” • These are open service ports • Can you identify them all? In this exercise I want you to open a command prompt on the computer you are currently using. To open a command prompt, go to Start → Run and type cmd.exe. At the command prompt, type the command: netstat –a | more and then press the “Enter” key. Now, take a good look at the output being reported. This is the current connection table for your system. The local address column will show the communication port your system is using, while the foreign address column will identify the name of the remote system as well as the communication port that system is using. If you look at the state column, any connections listed as “established” are active connections. You may also see a few “time wait” or “syn sent” entries. The real interesting entries are the ones labeled “listening”. These are open service ports on your system which are waiting for a remote system to connect to your machine. In other words, there is some active process running on your system that is offering services to any system on the network that tickles this port. The $64,000 question is, “Can you identify each of the processes running on your machine that have opened each of the listed listening ports?” 4 - 8 Windows Auditing - SANS ©2001 8 Why is TCP/2251 Open? Auditing forces you to figure out what’s going on If you take a look at the slide, you’ll see a screen capture from one of my systems. This computer has four ports listed as “listening”. The last three are used by Windows for file and print sharing but the first entry is an odd ball. I am unaware of any process running on this system that should be listening on TCP port 2251. So why is this port open? Obviously I need to do some investigative work to find out exactly what is running on this machine. A great way to investigate is to go the IANA port assignments link and investigate what ports you are unfamiliar with: http://www.isi.edu/in-notes/iana/assignments/port-numbers This link will point you in the right direction as to what ports are associated to what application to make your auditing easier. This is one of the cool things about auditing, it forces you to look at the system in great detail and come up with a logical explanation for everything you see. An example of this could be if you had Windows file and print sharing enabled on your PC. You would find that NetBIOS would be listening on a few ports like 137, 138, and 139. This is how an attacker could find out that you had file sharing enabled on your PC or worse, your network server on a DMZ. What better way to figure out all of the nuances of how your system functions and learn how to protect it better? 4 - 9 Windows Auditing - SANS ©2001 9 Why Perform Audits? • Identify when an intrusion occurs • Identify extent of the compromise • Useful when all other security measures fail – Damage control – Document for corrective action and/or legal action So, why perform audits? We perform audits to identify when an intrusion occurs. If an intrusion is detected, our audit is used to then determine what portions of the system have been compromised. For example, did the attacker load up a back door which is now waiting for them to come back in? Did the attacker change or access critical system or data files? In short, our audit should tell use the amount of damage control we need to perform. 4 - 10 Windows Auditing - SANS ©2001 10 But I Have a Firewall!!! • Most intrusions occur from within • A strong security posture is layered – Single point of failure is “a bad thing” – Backup tapes are a form of layering •FW-1 DNS hole – www.securityfocus.com/archive/1/10972 – What about other products? A common query that I hear is, “But I have a firewall. Why do I need to perform audits?”. To start, there have been quite a few studies that have looked at where attacks originate from; within the compromised network itself or from an outside location such as the Internet. While the statistics vary from study to study, one common thread is that many attacks originate from inside the network perimeter. From a statistical point of view, this means that your firewall has less than a 50% chance of protecting you from possible attack. Further, insider attacks have a higher rate of success because they are carried out by people with inside knowledge about (and often some level of existing access to) your systems, networks, and data. A good security posture is layered; this is also called “defense in depth”, which is learned early on in the security process. This is why we have a firewall, perform auditing, and perform, maintain, and test backups. Firewalls are our first line of defense, auditing could be our next line of defense, and if damage is done and it cannot be fixed, then we can use our backups to restore the system to its original state. We can also use backups to preserve the data for the incident handling team. With backups, it’s not that we need to keep track of yet another copy of our data. Instead we are hedging our bets against hard disk failure, end user mistakes or carelessness, as well as a host of other potentially lethal situations. So, by auditing and performing backups, we are “backing up” the other security measures we have put into place, including the firewall. Again, remember this as being a “defense in depth” situation. One last point on why layered security is important before we move on. Go to the URL indicated in the slide that discusses the Checkpoint Firewall-1 “Invisible Traffic Due to Default Properties Setting” vulnerability. This page documents a security hole with Firewall-1 which showed up in version two and still exists in version four. In short, the default settings of the firewall allow an attacker to pass traffic to internal systems and not have any of the traffic show up in the logs. [...]... not overwrite” setting is best In Windows 2000, you can also set these parameters through the Domain Security Policy Group Policy Object 4 - 18 Windows NT Log Properties Windows Auditing - SANS ©2001 The Windows NT log file settings dialog box has the same options as Windows 2000, though presented in a different format 4 - 19 19 How do you Enable Auditing? Windows Auditing - SANS ©2001 20 Once you... want to enable auditing Before you implement auditing, you should decide on an auditing policy that specifies the categories of security-related events that you wish to audit When Windows is first installed, all auditing categories are turned off By turning on various auditing event categories, you can implement an auditing policy that suits the security needs of your organization With Windows 2000,... Administrative Tools group • Central logging utility for Windows – Not all applications use Event Viewer • IIS logs to WINNT\system32\LogFiles • Proxy logs to WINNT\system32\msplogs • Windows does minimal logging by default and saves minimal data Windows Auditing - SANS ©2001 17 It is now time to get into the nitty-gritty of performing our audit by looking at the Windows Event Viewer utility Event Viewer can... should be audited, and whether to audit success or failure events, or both 4 - 20 Auditing Object Access Windows Auditing - SANS ©2001 21 Once you have enabled auditing of object access, you must still configure the individual objects (files, folders, printers, etc.) to be audited This can be done for individual objects using Windows Explorer For configuring “bulk” audit settings for numerous files or folders... settings To configure auditing of an individual object, do the following: • Open Windows Explorer, and then locate the file or folder you want to audit • Right-click the file or folder, click Properties, and then click the Security tab In Windows 2000, the default permissions (if any) for the object will be shown • Click Advanced, and then click the Auditing tab (shown above) (For Windows NT, click the... output is formatted It’s not uncommon to see 20 or more entries on the typical Windows system 4 - 33 Services on Stock Windows • “net start” can be used on stock NT and 2000 systems – Shows services only – Must be run locally These Windows NT services are started: Alerter Computer Browser EventLog License Logging Service Windows Auditing - SANS ©2001 34 If you do not have a copy of the Resource Kit handy,... environment, then from the Event Viewer select the log you want to modify, and select Action, Properties from the menu (File, Properties in Windows NT) This will produce a dialog box similar to the one shown in the next slide 4 - 17 Windows 2000 Log Properties Windows Auditing - SANS ©2001 18 One of the first things I like to do is bump up the maximum size of each of the logs to 8 MB Disk space is cheap... when you are done • Click Apply to save your settings • To view or change auditing for an existing group or user, click the name, and then click View/Edit • To remove auditing for an existing group or user, click the name, and then click Remove • Click OK, OK to exit Once you have enabled auditing of object access and set the auditing properties for the individual objects you want to audit, you can... separate display name , Display name is , Display name is Windows Auditing - SANS ©2001 33 The Windows Resource Kit includes a utility called netsvc.exe which allows you to manage services and drivers on remote Windows systems While this is primarily a management tool, one of the switches allows you to document all running services and... the Windows Event Viewer utility Event Viewer can be found in the Administrative Tools group of your Windows system (Start → Programs → Administrative Tools → Event Viewer) It is an MMC snap-in under Windows 2000, and a stand-alone utility in Windows NT Event Viewer is the central logging utility of any Windows system Most applications, including the operating system itself, log events to one of Event . - 1 Windows Auditing - SANS ©2001 1 Windows Auditing Security Essentials The SANS Institute Greetings! This section of the course covers auditing Windows. how your systems operate. 4 - 3 Windows Auditing - SANS ©2001 3 What You Will Need • Windows NT 4.0 or 2000 • Copy of the Windows Resource Kit – carried