Windows 2000/2003 Server Auditing Rob Hoffpauir MCSE / CCSA / ACE / NNCSS [email protected].

Windows 2000/2003 Windows 2000/2003 Server AuditingServer Auditing

Rob HoffpauirRob HoffpauirMCSE / CCSA / ACE / NNCSSMCSE / CCSA / ACE / [email protected]@bcbsla.com

Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 2204/19/2304/19/23

Brief IntroBrief Intro Who am I?Who am I?

Been in the IT industry for about 12 yearsBeen in the IT industry for about 12 years Worked with security systems for about 8 yearsWorked with security systems for about 8 years Experience with Windows 3.x, 9x, NT 3.51, NT Experience with Windows 3.x, 9x, NT 3.51, NT

4.0, 2000, XP & 20034.0, 2000, XP & 2003 Experience with Checkpoint, Nokia, Nortel & Experience with Checkpoint, Nokia, Nortel &

LinuxLinux Familiar with both the public and private sectorsFamiliar with both the public and private sectors


TopicsTopics

DocumentationDocumentation Account PoliciesAccount Policies Logon ProcessLogon Process Access ControlAccess Control ServicesServices Vulnerability ControlVulnerability Control


Getting to Know the Getting to Know the EnvironmentEnvironment Interview key personnelInterview key personnel

Obtain documentation on:Obtain documentation on: Security Baseline PolicySecurity Baseline Policy GPO Settings (Verify using the GPMC & GPResult tool from GPO Settings (Verify using the GPMC & GPResult tool from

Microsoft)Microsoft) Forest(s)Forest(s) Domain(s)Domain(s) Trust(s)Trust(s)

Review the setup of Active Directory. Review the setup of Active Directory. Determine if the check-off box for "override allowed" is Determine if the check-off box for "override allowed" is

correctly administeredcorrectly administered Verify if GPO matches Baseline PolicyVerify if GPO matches Baseline Policy Institute a Baseline verification policy and routine (automate if Institute a Baseline verification policy and routine (automate if

possible)possible)


Account PoliciesAccount Policies Review account policies (i.e. password controls) for compliance with Review account policies (i.e. password controls) for compliance with

corporate policycorporate policy

User accounts should have a password with a minimum of six User accounts should have a password with a minimum of six characterscharacters

Passwords should contain lower and upper case, numbers and Passwords should contain lower and upper case, numbers and special charactersspecial characters

Users should be prevented from using their last 8 - 10 passwordsUsers should be prevented from using their last 8 - 10 passwords

Password should not be the same as the user IDPassword should not be the same as the user ID

Forced lockout after three attempts to logonForced lockout after three attempts to logon

Change Passwords every 60 days (exceptions for system and Change Passwords every 60 days (exceptions for system and service accounts may be granted on a case-by-case basis)service accounts may be granted on a case-by-case basis)

Kerberos ticket renewals - Make sure that tickets are being renewedKerberos ticket renewals - Make sure that tickets are being renewed

Local account policies - Select a sample of servers to review local Local account policies - Select a sample of servers to review local account policies for compliance with security policies and account policies for compliance with security policies and proceduresprocedures

Verify that SNMP Community Strings are not public, private or blank Verify that SNMP Community Strings are not public, private or blank if applicableif applicable


Dormant or Disabled AccountsDormant or Disabled Accounts

Review dormant and disabled accounts. Review dormant and disabled accounts. Obtain the following reports:Obtain the following reports:

User accounts that are disabledUser accounts that are disabled User accounts that are locked outUser accounts that are locked out User accounts that have not logged into the User accounts that have not logged into the

domain within the last 60 days.domain within the last 60 days. User accounts that have not changed their User accounts that have not changed their

passwords within the last 60 days.passwords within the last 60 days.


Terminated EmployeesTerminated Employees

Obtain a listing of employees who Obtain a listing of employees who terminated their employment with the terminated their employment with the company within the last six months. company within the last six months.

Determine if any of these employees still Determine if any of these employees still have system access.have system access.

A policy and procedure for terminations A policy and procedure for terminations should be in place and followed.should be in place and followed.


Password ReviewPassword Review Determine if users are selecting strong Determine if users are selecting strong

passwordspasswords

Perform a password assessmentPerform a password assessment Test for the following:Test for the following:

password the same as the user IDpassword the same as the user IDblank passwordsblank passwordscompany name/initialscompany name/initialsother easily guessed password scenarios (use word other easily guessed password scenarios (use word

list)list)

Note:Note: Best practices dictate that a password review Best practices dictate that a password review should be should be

conducted at least quarterlyconducted at least quarterly


Additional Password ControlsAdditional Password Controls

Determine that users are aware of how to Determine that users are aware of how to contribute to a secure network contribute to a secure network environment. environment.

Obtain the following reports:Obtain the following reports: Users with a password that cannot be changed.Users with a password that cannot be changed. Users with a password that never expiresUsers with a password that never expires Users who do not require a password.Users who do not require a password.

Has the built in guest account been Has the built in guest account been disabled and renamed? disabled and renamed?

Has the default administrator account Has the default administrator account been renamed?been renamed?


Login ProcessLogin Process

Review the login process to make sure Review the login process to make sure that it meets Company policy.that it meets Company policy.

Is the username of the last user displayed? Is the username of the last user displayed?

Is there a warning banner?Is there a warning banner?

Is Auto Logon Used?Is Auto Logon Used?


Warning BannerWarning Banner Their purpose is essentially to act as a "No Trespassing" sign, and to Their purpose is essentially to act as a "No Trespassing" sign, and to

establish consent to monitoring. The Federal computer crime law, 18 establish consent to monitoring. The Federal computer crime law, 18 USC 1030, makes it a crime to INTENTIONALLY access a computer USC 1030, makes it a crime to INTENTIONALLY access a computer without authorization. Thus, you need to do SOMETHING to prove that without authorization. Thus, you need to do SOMETHING to prove that the hacker knew, or reasonably should have known that they were the hacker knew, or reasonably should have known that they were accessing without authorization. accessing without authorization.

There is NO case that says that a "welcome" screen necessarily invites There is NO case that says that a "welcome" screen necessarily invites a trespass, any more than a welcome mat is an invitation to smash a trespass, any more than a welcome mat is an invitation to smash the window. But some state laws are screwy. The New York State the window. But some state laws are screwy. The New York State computer crime law, NY Penal Code Section 156 (6), requires that, computer crime law, NY Penal Code Section 156 (6), requires that, before you can be prosecuted for using a computer service without before you can be prosecuted for using a computer service without authorization, the government has to prove that the owner has given authorization, the government has to prove that the owner has given actual notice to potential hackers or trespassers, either in writing or actual notice to potential hackers or trespassers, either in writing or orally. In the absence of such notice in New York, the hacker can orally. In the absence of such notice in New York, the hacker can presume that he or she has authorization to proceed, under state law. presume that he or she has authorization to proceed, under state law. La. Rev. Stat. Ann. §§ 14:73.1 to 14:73.5 La. Rev. Stat. Ann. §§ 14:73.1 to 14:73.5 http://www.legis.state.la.us/lss/lss.asp?doc=78652 defines computer defines computer crime in Louisiana, and does not appear to contain a "simple trespass" crime in Louisiana, and does not appear to contain a "simple trespass" provision. Nevertheless, it is still a good idea to define the parameters provision. Nevertheless, it is still a good idea to define the parameters of authorization and lack thereof. of authorization and lack thereof.


Warning Banner (con’t)Warning Banner (con’t) Another reason for a warning banner is to give you consent Another reason for a warning banner is to give you consent

to monitor communications. Federal laws, 18 USC 2511 to monitor communications. Federal laws, 18 USC 2511 and 18 USC 2701 generally make it a crime to monitor and 18 USC 2701 generally make it a crime to monitor communications -- even electronic communications -- communications -- even electronic communications -- without the consent of one of the parties to the without the consent of one of the parties to the communication. Louisiana law is similar. communication. Louisiana law is similar. La. Rev. Stat. §15:1303 Thus your warning banner should Thus your warning banner should also say "by using this system you are agreeing to comply also say "by using this system you are agreeing to comply with the relevant polices of COMPANYNAME, and are with the relevant polices of COMPANYNAME, and are specifically consenting to monitoring of your activities specifically consenting to monitoring of your activities consistent with these policies. A copy of these policies may consistent with these policies. A copy of these policies may be obtained at http://www.company..... or by calling Jane be obtained at http://www.company..... or by calling Jane Doe."Doe."


Auto Admin LogonAuto Admin Logon

Review registry dump to determine Review registry dump to determine whether the auto admin logon registry whether the auto admin logon registry entry is used. entry is used.

The use of this key embeds the password The use of this key embeds the password in the registry in plain text.in the registry in plain text.

If this process is required, check the ACLs If this process is required, check the ACLs of the registry key.of the registry key.


Access ControlAccess Control

Review Group MembershipReview Group Membership

Review User RightsReview User Rights

Review Access Control List (ACLs)Review Access Control List (ACLs)

Review access to Administrative (Hidden) Review access to Administrative (Hidden) SharesShares


Review membership to powerful Review membership to powerful groupsgroups

Domain AdministratorsDomain Administrators AdministratorsAdministrators Backup OperatorsBackup Operators Server OperatorsServer Operators Account OperatorsAccount Operators Enterprise AdministratorsEnterprise Administrators Schema AdministratorsSchema Administrators Cert. PublishersCert. Publishers DHCP AdministratorsDHCP Administrators DNS AdministratorsDNS Administrators DNS Update ProxyDNS Update Proxy Group Policy Creator Group Policy Creator

OwnersOwners

IIS_WPGIIS_WPG Incoming Forest Trust Builders Incoming Forest Trust Builders Network Configuration OperatorsNetwork Configuration Operators RAS and IAS ServersRAS and IAS Servers ReplicatorReplicator Pre-Windows 2000 Compatible Pre-Windows 2000 Compatible

AccessAccess Windows Authorization Access Windows Authorization Access

GroupGroup Telnet ClientsTelnet Clients Anonymous Logon (system Anonymous Logon (system

group)group) InteractiveInteractive NetworkNetworkNote: A user can be given admin rights without being a member of

the admin group.


User RightsUser Rights


Access Control List (ACLs)Access Control List (ACLs) Registry Key PermissionsRegistry Key Permissions Share PermissionsShare Permissions NTFS PermissionsNTFS Permissions Nesting of GroupsNesting of Groups

Assign Local groups (or Domain Local) to Assign Local groups (or Domain Local) to resourcesresources

Assign User accounts to Domain groupsAssign User accounts to Domain groups Place Domain groups into Local groupsPlace Domain groups into Local groups


Administrative SharesAdministrative Shares

Review ACLs forReview ACLs for C$, D$ (drive letter followed by the $ sign)C$, D$ (drive letter followed by the $ sign) Admin$Admin$

Administrative shares should only be used Administrative shares should only be used by administratorsby administrators


Everyone GroupEveryone Group

Review access granted to the Everyone Review access granted to the Everyone group group

Review shares in connection with the Review shares in connection with the access review to determine if the access review to determine if the Everyone group truly has access to Everyone group truly has access to specific directoriesspecific directories

Note:Note: When a share is setup, read access for everyone is the When a share is setup, read access for everyone is the defaultdefault


Review ServicesReview Services Review the standard services that run on the Review the standard services that run on the

different servers (i.e. Domain Controllers, different servers (i.e. Domain Controllers, Web Servers, Application Servers, etc.). Web Servers, Application Servers, etc.).

Make sure there is a business need for each Make sure there is a business need for each service. service.

Note:Note: If the start up of a service is set to "Manual", an attacker If the start up of a service is set to "Manual", an attacker couldcould

send a command to startup the service and exercise a send a command to startup the service and exercise a vulnerabilityvulnerability

against it. against it.


IISIIS

IIS is installed on each Windows server by IIS is installed on each Windows server by default in 2000. default in 2000.

Make sure there is a business need for all Make sure there is a business need for all servers that are currently running IIS.servers that are currently running IIS.


RAS SettingsRAS Settings

Disable Service if not usedDisable Service if not used Setup separate device for RASSetup separate device for RAS Review settings to ensure tightest control Review settings to ensure tightest control

possiblepossible


Terminal ServerTerminal Server

Identify which servers are running Identify which servers are running Terminal Server and make sure there is a Terminal Server and make sure there is a business need for thisbusiness need for this

Terminal Server allows you to manage a Terminal Server allows you to manage a server form any terminal as though you server form any terminal as though you were therewere there


Anti-virus SoftwareAnti-virus Software

Identify which servers do not have anti-Identify which servers do not have anti-virus software running on it and notify virus software running on it and notify management.management.


Audit LogsAudit Logs

Review audit log settings for a sample of Review audit log settings for a sample of servers. servers.

Document and review procedures for the Document and review procedures for the review of audit logs. review of audit logs.

Determine if logs are reviewed in a timely Determine if logs are reviewed in a timely manner.manner.


Physical SecurityPhysical Security

Review the controls for physical security Review the controls for physical security of all network devices (Servers, of all network devices (Servers, Workstations, Switches, Routers, etc.)Workstations, Switches, Routers, etc.)


Vulnerability ScansVulnerability Scans

Select a sample of servers that support Select a sample of servers that support critical applications and run a vulnerability critical applications and run a vulnerability scan on these servers. scan on these servers.

Obtain commitment from Management to Obtain commitment from Management to address vulnerabilities identified.address vulnerabilities identified.


Useful ToolsUseful Tools GPMC (Microsoft)GPMC (Microsoft) Local Security Settings (Microsoft)Local Security Settings (Microsoft) GPResult (Microsoft)GPResult (Microsoft) Active Directory Users and Computers (Microsoft)Active Directory Users and Computers (Microsoft) Hyena (System Tools Software)Hyena (System Tools Software) Enterprise Security Manager (Symantec)Enterprise Security Manager (Symantec) Insight Manager (Consul)Insight Manager (Consul) MOM (Microsoft)MOM (Microsoft) Internet & Systems Scanner (Internet Security Systems)Internet & Systems Scanner (Internet Security Systems) Nexus (Open Source)Nexus (Open Source) NMap (Open Source)NMap (Open Source) DumpSec, DumpReg & DumpEvents (SomarSoft)DumpSec, DumpReg & DumpEvents (SomarSoft)


Questions?Questions?

Comments!Comments!

Windows 2000/2003 Server Auditing Rob Hoffpauir MCSE / CCSA / ACE / NNCSS [email protected].

Documents

Transcript of Windows 2000/2003 Server Auditing Rob Hoffpauir MCSE / CCSA / ACE / NNCSS [email protected].