Windows 2000/2003 Server Auditing Rob Hoffpauir MCSE / CCSA / ACE / NNCSS [email protected].
-
Upload
ambrose-lewis -
Category
Documents
-
view
218 -
download
0
Transcript of Windows 2000/2003 Server Auditing Rob Hoffpauir MCSE / CCSA / ACE / NNCSS [email protected].
Windows 2000/2003 Windows 2000/2003 Server AuditingServer Auditing
Rob HoffpauirRob HoffpauirMCSE / CCSA / ACE / NNCSSMCSE / CCSA / ACE / [email protected]@bcbsla.com
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 2204/19/2304/19/23
Brief IntroBrief Intro Who am I?Who am I?
Been in the IT industry for about 12 yearsBeen in the IT industry for about 12 years Worked with security systems for about 8 yearsWorked with security systems for about 8 years Experience with Windows 3.x, 9x, NT 3.51, NT Experience with Windows 3.x, 9x, NT 3.51, NT
4.0, 2000, XP & 20034.0, 2000, XP & 2003 Experience with Checkpoint, Nokia, Nortel & Experience with Checkpoint, Nokia, Nortel &
LinuxLinux Familiar with both the public and private sectorsFamiliar with both the public and private sectors
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 3304/19/2304/19/23
TopicsTopics
DocumentationDocumentation Account PoliciesAccount Policies Logon ProcessLogon Process Access ControlAccess Control ServicesServices Vulnerability ControlVulnerability Control
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 4404/19/2304/19/23
Getting to Know the Getting to Know the EnvironmentEnvironment Interview key personnelInterview key personnel
Obtain documentation on:Obtain documentation on: Security Baseline PolicySecurity Baseline Policy GPO Settings (Verify using the GPMC & GPResult tool from GPO Settings (Verify using the GPMC & GPResult tool from
Microsoft)Microsoft) Forest(s)Forest(s) Domain(s)Domain(s) Trust(s)Trust(s)
Review the setup of Active Directory. Review the setup of Active Directory. Determine if the check-off box for "override allowed" is Determine if the check-off box for "override allowed" is
correctly administeredcorrectly administered Verify if GPO matches Baseline PolicyVerify if GPO matches Baseline Policy Institute a Baseline verification policy and routine (automate if Institute a Baseline verification policy and routine (automate if
possible)possible)
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 5504/19/2304/19/23
Account PoliciesAccount Policies Review account policies (i.e. password controls) for compliance with Review account policies (i.e. password controls) for compliance with
corporate policycorporate policy
User accounts should have a password with a minimum of six User accounts should have a password with a minimum of six characterscharacters
Passwords should contain lower and upper case, numbers and Passwords should contain lower and upper case, numbers and special charactersspecial characters
Users should be prevented from using their last 8 - 10 passwordsUsers should be prevented from using their last 8 - 10 passwords
Password should not be the same as the user IDPassword should not be the same as the user ID
Forced lockout after three attempts to logonForced lockout after three attempts to logon
Change Passwords every 60 days (exceptions for system and Change Passwords every 60 days (exceptions for system and service accounts may be granted on a case-by-case basis)service accounts may be granted on a case-by-case basis)
Kerberos ticket renewals - Make sure that tickets are being renewedKerberos ticket renewals - Make sure that tickets are being renewed
Local account policies - Select a sample of servers to review local Local account policies - Select a sample of servers to review local account policies for compliance with security policies and account policies for compliance with security policies and proceduresprocedures
Verify that SNMP Community Strings are not public, private or blank Verify that SNMP Community Strings are not public, private or blank if applicableif applicable
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 6604/19/2304/19/23
Dormant or Disabled AccountsDormant or Disabled Accounts
Review dormant and disabled accounts. Review dormant and disabled accounts. Obtain the following reports:Obtain the following reports:
User accounts that are disabledUser accounts that are disabled User accounts that are locked outUser accounts that are locked out User accounts that have not logged into the User accounts that have not logged into the
domain within the last 60 days.domain within the last 60 days. User accounts that have not changed their User accounts that have not changed their
passwords within the last 60 days.passwords within the last 60 days.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 7704/19/2304/19/23
Terminated EmployeesTerminated Employees
Obtain a listing of employees who Obtain a listing of employees who terminated their employment with the terminated their employment with the company within the last six months. company within the last six months.
Determine if any of these employees still Determine if any of these employees still have system access.have system access.
A policy and procedure for terminations A policy and procedure for terminations should be in place and followed.should be in place and followed.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 8804/19/2304/19/23
Password ReviewPassword Review Determine if users are selecting strong Determine if users are selecting strong
passwordspasswords
Perform a password assessmentPerform a password assessment Test for the following:Test for the following:
password the same as the user IDpassword the same as the user IDblank passwordsblank passwordscompany name/initialscompany name/initialsother easily guessed password scenarios (use word other easily guessed password scenarios (use word
list)list)
Note:Note: Best practices dictate that a password review Best practices dictate that a password review should be should be
conducted at least quarterlyconducted at least quarterly
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 9904/19/2304/19/23
Additional Password ControlsAdditional Password Controls
Determine that users are aware of how to Determine that users are aware of how to contribute to a secure network contribute to a secure network environment. environment.
Obtain the following reports:Obtain the following reports: Users with a password that cannot be changed.Users with a password that cannot be changed. Users with a password that never expiresUsers with a password that never expires Users who do not require a password.Users who do not require a password.
Has the built in guest account been Has the built in guest account been disabled and renamed? disabled and renamed?
Has the default administrator account Has the default administrator account been renamed?been renamed?
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 101004/19/2304/19/23
Login ProcessLogin Process
Review the login process to make sure Review the login process to make sure that it meets Company policy.that it meets Company policy.
Is the username of the last user displayed? Is the username of the last user displayed?
Is there a warning banner?Is there a warning banner?
Is Auto Logon Used?Is Auto Logon Used?
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 111104/19/2304/19/23
Warning BannerWarning Banner Their purpose is essentially to act as a "No Trespassing" sign, and to Their purpose is essentially to act as a "No Trespassing" sign, and to
establish consent to monitoring. The Federal computer crime law, 18 establish consent to monitoring. The Federal computer crime law, 18 USC 1030, makes it a crime to INTENTIONALLY access a computer USC 1030, makes it a crime to INTENTIONALLY access a computer without authorization. Thus, you need to do SOMETHING to prove that without authorization. Thus, you need to do SOMETHING to prove that the hacker knew, or reasonably should have known that they were the hacker knew, or reasonably should have known that they were accessing without authorization. accessing without authorization.
There is NO case that says that a "welcome" screen necessarily invites There is NO case that says that a "welcome" screen necessarily invites a trespass, any more than a welcome mat is an invitation to smash a trespass, any more than a welcome mat is an invitation to smash the window. But some state laws are screwy. The New York State the window. But some state laws are screwy. The New York State computer crime law, NY Penal Code Section 156 (6), requires that, computer crime law, NY Penal Code Section 156 (6), requires that, before you can be prosecuted for using a computer service without before you can be prosecuted for using a computer service without authorization, the government has to prove that the owner has given authorization, the government has to prove that the owner has given actual notice to potential hackers or trespassers, either in writing or actual notice to potential hackers or trespassers, either in writing or orally. In the absence of such notice in New York, the hacker can orally. In the absence of such notice in New York, the hacker can presume that he or she has authorization to proceed, under state law. presume that he or she has authorization to proceed, under state law. La. Rev. Stat. Ann. §§ 14:73.1 to 14:73.5 La. Rev. Stat. Ann. §§ 14:73.1 to 14:73.5 http://www.legis.state.la.us/lss/lss.asp?doc=78652 defines computer defines computer crime in Louisiana, and does not appear to contain a "simple trespass" crime in Louisiana, and does not appear to contain a "simple trespass" provision. Nevertheless, it is still a good idea to define the parameters provision. Nevertheless, it is still a good idea to define the parameters of authorization and lack thereof. of authorization and lack thereof.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 121204/19/2304/19/23
Warning Banner (con’t)Warning Banner (con’t) Another reason for a warning banner is to give you consent Another reason for a warning banner is to give you consent
to monitor communications. Federal laws, 18 USC 2511 to monitor communications. Federal laws, 18 USC 2511 and 18 USC 2701 generally make it a crime to monitor and 18 USC 2701 generally make it a crime to monitor communications -- even electronic communications -- communications -- even electronic communications -- without the consent of one of the parties to the without the consent of one of the parties to the communication. Louisiana law is similar. communication. Louisiana law is similar. La. Rev. Stat. §15:1303 Thus your warning banner should Thus your warning banner should also say "by using this system you are agreeing to comply also say "by using this system you are agreeing to comply with the relevant polices of COMPANYNAME, and are with the relevant polices of COMPANYNAME, and are specifically consenting to monitoring of your activities specifically consenting to monitoring of your activities consistent with these policies. A copy of these policies may consistent with these policies. A copy of these policies may be obtained at http://www.company..... or by calling Jane be obtained at http://www.company..... or by calling Jane Doe."Doe."
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 131304/19/2304/19/23
Auto Admin LogonAuto Admin Logon
Review registry dump to determine Review registry dump to determine whether the auto admin logon registry whether the auto admin logon registry entry is used. entry is used.
The use of this key embeds the password The use of this key embeds the password in the registry in plain text.in the registry in plain text.
If this process is required, check the ACLs If this process is required, check the ACLs of the registry key.of the registry key.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 141404/19/2304/19/23
Access ControlAccess Control
Review Group MembershipReview Group Membership
Review User RightsReview User Rights
Review Access Control List (ACLs)Review Access Control List (ACLs)
Review access to Administrative (Hidden) Review access to Administrative (Hidden) SharesShares
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 151504/19/2304/19/23
Review membership to powerful Review membership to powerful groupsgroups
Domain AdministratorsDomain Administrators AdministratorsAdministrators Backup OperatorsBackup Operators Server OperatorsServer Operators Account OperatorsAccount Operators Enterprise AdministratorsEnterprise Administrators Schema AdministratorsSchema Administrators Cert. PublishersCert. Publishers DHCP AdministratorsDHCP Administrators DNS AdministratorsDNS Administrators DNS Update ProxyDNS Update Proxy Group Policy Creator Group Policy Creator
OwnersOwners
IIS_WPGIIS_WPG Incoming Forest Trust Builders Incoming Forest Trust Builders Network Configuration OperatorsNetwork Configuration Operators RAS and IAS ServersRAS and IAS Servers ReplicatorReplicator Pre-Windows 2000 Compatible Pre-Windows 2000 Compatible
AccessAccess Windows Authorization Access Windows Authorization Access
GroupGroup Telnet ClientsTelnet Clients Anonymous Logon (system Anonymous Logon (system
group)group) InteractiveInteractive NetworkNetworkNote: A user can be given admin rights without being a member of
the admin group.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 161604/19/2304/19/23
User RightsUser Rights
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 171704/19/2304/19/23
User RightsUser Rights
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 181804/19/2304/19/23
Access Control List (ACLs)Access Control List (ACLs) Registry Key PermissionsRegistry Key Permissions Share PermissionsShare Permissions NTFS PermissionsNTFS Permissions Nesting of GroupsNesting of Groups
Assign Local groups (or Domain Local) to Assign Local groups (or Domain Local) to resourcesresources
Assign User accounts to Domain groupsAssign User accounts to Domain groups Place Domain groups into Local groupsPlace Domain groups into Local groups
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 191904/19/2304/19/23
Administrative SharesAdministrative Shares
Review ACLs forReview ACLs for C$, D$ (drive letter followed by the $ sign)C$, D$ (drive letter followed by the $ sign) Admin$Admin$
Administrative shares should only be used Administrative shares should only be used by administratorsby administrators
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 202004/19/2304/19/23
Everyone GroupEveryone Group
Review access granted to the Everyone Review access granted to the Everyone group group
Review shares in connection with the Review shares in connection with the access review to determine if the access review to determine if the Everyone group truly has access to Everyone group truly has access to specific directoriesspecific directories
Note:Note: When a share is setup, read access for everyone is the When a share is setup, read access for everyone is the defaultdefault
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 212104/19/2304/19/23
Review ServicesReview Services Review the standard services that run on the Review the standard services that run on the
different servers (i.e. Domain Controllers, different servers (i.e. Domain Controllers, Web Servers, Application Servers, etc.). Web Servers, Application Servers, etc.).
Make sure there is a business need for each Make sure there is a business need for each service. service.
Note:Note: If the start up of a service is set to "Manual", an attacker If the start up of a service is set to "Manual", an attacker couldcould
send a command to startup the service and exercise a send a command to startup the service and exercise a vulnerabilityvulnerability
against it. against it.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 222204/19/2304/19/23
IISIIS
IIS is installed on each Windows server by IIS is installed on each Windows server by default in 2000. default in 2000.
Make sure there is a business need for all Make sure there is a business need for all servers that are currently running IIS.servers that are currently running IIS.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 232304/19/2304/19/23
RAS SettingsRAS Settings
Disable Service if not usedDisable Service if not used Setup separate device for RASSetup separate device for RAS Review settings to ensure tightest control Review settings to ensure tightest control
possiblepossible
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 242404/19/2304/19/23
Terminal ServerTerminal Server
Identify which servers are running Identify which servers are running Terminal Server and make sure there is a Terminal Server and make sure there is a business need for thisbusiness need for this
Terminal Server allows you to manage a Terminal Server allows you to manage a server form any terminal as though you server form any terminal as though you were therewere there
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 252504/19/2304/19/23
Anti-virus SoftwareAnti-virus Software
Identify which servers do not have anti-Identify which servers do not have anti-virus software running on it and notify virus software running on it and notify management.management.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 262604/19/2304/19/23
Audit LogsAudit Logs
Review audit log settings for a sample of Review audit log settings for a sample of servers. servers.
Document and review procedures for the Document and review procedures for the review of audit logs. review of audit logs.
Determine if logs are reviewed in a timely Determine if logs are reviewed in a timely manner.manner.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 272704/19/2304/19/23
Physical SecurityPhysical Security
Review the controls for physical security Review the controls for physical security of all network devices (Servers, of all network devices (Servers, Workstations, Switches, Routers, etc.)Workstations, Switches, Routers, etc.)
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 282804/19/2304/19/23
Vulnerability ScansVulnerability Scans
Select a sample of servers that support Select a sample of servers that support critical applications and run a vulnerability critical applications and run a vulnerability scan on these servers. scan on these servers.
Obtain commitment from Management to Obtain commitment from Management to address vulnerabilities identified.address vulnerabilities identified.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 292904/19/2304/19/23
Useful ToolsUseful Tools GPMC (Microsoft)GPMC (Microsoft) Local Security Settings (Microsoft)Local Security Settings (Microsoft) GPResult (Microsoft)GPResult (Microsoft) Active Directory Users and Computers (Microsoft)Active Directory Users and Computers (Microsoft) Hyena (System Tools Software)Hyena (System Tools Software) Enterprise Security Manager (Symantec)Enterprise Security Manager (Symantec) Insight Manager (Consul)Insight Manager (Consul) MOM (Microsoft)MOM (Microsoft) Internet & Systems Scanner (Internet Security Systems)Internet & Systems Scanner (Internet Security Systems) Nexus (Open Source)Nexus (Open Source) NMap (Open Source)NMap (Open Source) DumpSec, DumpReg & DumpEvents (SomarSoft)DumpSec, DumpReg & DumpEvents (SomarSoft)
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005 303004/19/2304/19/23
Questions?Questions?
Comments!Comments!