Preparing for Incident Response in Software

Maker PDF 417 in Software Preparing for Incident Response

desires to remove evidence from the process accounting logs he either deletes the whole log or leaves it intact We recommend enabling process accounting, especially after an attack occurs It can provide great insights to an intruder s actions when network monitoring proves ineffective

Some say the logging capabilities of Windows leave something to be desired, especially in their default configuration (which is not to audit any events) The biggest annoyance is the manner in which the logs are stored However, when configured appropriately, these logs do provide value We ll cover the particulars of Windows logging in 12 Here, we will describe a few configuration choices to make when building your Windows system: enabling security auditing, auditing file and directory actions, and saving log messages to a remote host This information is logged in the C:\WINNT\System32\Config\ directory as evt files, which are viewable with the Event Viewer application Enabling Security Auditing By default, security auditing is not enabled on Windows systems To enable security auditing on Windows NT systems, choose Start | Programs | Administrative Tools | User Manager In User Manager, select Policies | Audit to open the dialog box shown in Figure 3-2 To configure auditing on Windows 2000 or XP, go to Start | Programs | Computer Management | Local Security Policy | Local Policies | Audit Policy

Figure 3-2

By default, no options are enabled Enable events that are appropriate for your system, which at a minimum should include the following: M I I L Logon and Logoff User and Group Management Security Policy Changes Restart, Shutdown, and System

The Process Tracking option is similar to process accounting in Unix This type of auditing can quickly fill your log files Auditing File and Directory Actions To audit changes on file and directory permissions, the file system must be NTFS In Windows NT, just right-click any file or directory and choose Properties from the pop-up menu In the Properties dialog box, choose the Security tab and select Auditing to see the dialog box shown in Figure 3-3

Figure 3-3

3:

The options in this dialog box are self-explanatory The key point is that you can audit events on all subdirectories and files under the current directory by selecting the two options at the top of the dialog box Under Windows 2000, security auditing policies are controlled from the Administrative Tools | Local Security Policy menu Setting Up Remote Logging As with the Unix system logs, an attacker could delete the C:\WINNT\System32\Config\*evt files, successfully erasing the event-tracking logs Again, the solution is to log events to a networked event log server Unfortunately, Windows NT does not include the capability for remote logging of events However, as an administrator, you can use third-party logging utilities to overcome this deficiency For example, NTsyslog is free software that converts system, security, and application events into syslog messages, which are then sent to a remote syslog server

GO GET IT ON THE WEB NTsyslog (Windows NT syslog service): http://wwwsabernetnet/software/ntsysloghtml

Just as host logs can be improved, so too can many application logs There is a stunning array of application logs available, and each must be configured differently Here are some general guidelines for configuring application logging: M I I L Log messages to a file that only the administrator can access Log messages to a secure, remote log host Log as much useful information as possible don t skimp! Log IP addresses rather than NetBIOS or domain names

As an example, consider the logging capabilities of a popular application, Microsoft s Internet Information Server (IIS) Through the Microsoft Management Console, the web site properties are available from the Default Web Site Properties dialog box, shown in Figure 3-4 To access this dialog box, choose Start | Programs | Windows NT 40 Option Pack | Microsoft Internet Information Server | Internet Service Manager Then, right-click the web site for which you want to see logging properties You see that logging is enabled by default But drill down further by clicking the Properties button You will find that many options are available, but not all are enabled, as shown in Figure 3-5 A lot of information that may be valuable to an investigator goes unrecorded Information such as the number of bytes sent and received and the cookie could be key evidence in many web application attacks If the web server is running virtual web servers or multiple web servers, you also want information about the server IP and port