ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r...
Transcript of ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r...
![Page 1: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/1.jpg)
© Siemens AG 2000Siemens CERT Team
/ 1
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team
Sven Lehmberg
![Page 2: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/2.jpg)
© Siemens AG 2000Siemens CERT Team
/ 2
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamAgenda
� Event Viewer and User Manager
� Analyzing Audit Logs
� Tools
![Page 3: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/3.jpg)
© Siemens AG 2000Siemens CERT Team
/ 3
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamAuditing Step by Step
Two important programs in NT 4.0
� Event Viewer
and
� User ManagerUser Manager for Domains
![Page 4: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/4.jpg)
© Siemens AG 2000Siemens CERT Team
/ 4
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team
![Page 5: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/5.jpg)
© Siemens AG 2000Siemens CERT Team
/ 5
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Viewer
![Page 6: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/6.jpg)
© Siemens AG 2000Siemens CERT Team
/ 6
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team
![Page 7: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/7.jpg)
© Siemens AG 2000Siemens CERT Team
/ 7
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamHOWTO Enable Auditing ?
![Page 8: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/8.jpg)
© Siemens AG 2000Siemens CERT Team
/ 8
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamWhat to Audit ?
![Page 9: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/9.jpg)
© Siemens AG 2000Siemens CERT Team
/ 9
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLogon and Logoff
![Page 10: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/10.jpg)
© Siemens AG 2000Siemens CERT Team
/ 10
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamInteractive Logon
![Page 11: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/11.jpg)
© Siemens AG 2000Siemens CERT Team
/ 11
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLogon Type and Processes
Logon Type:2 : Interactive3 : Network4 : Batch5 : Service6 : Proxy7 : Unlock Workstation
Authentication Package:MICROSOFT_AUTHENTIC
ATION_PACKAGE_V1_0Logon Process:� KSecDD� User32 or
WinLogon\MSGina� SCMgr� LAN Manager Workstation
Service� advapi� MS.RADIUS
![Page 12: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/12.jpg)
© Siemens AG 2000Siemens CERT Team
/ 12
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLogon over the Network
![Page 13: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/13.jpg)
© Siemens AG 2000Siemens CERT Team
/ 13
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail – No Logon Right over Network
![Page 14: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/14.jpg)
© Siemens AG 2000Siemens CERT Team
/ 14
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFile and Object Access
![Page 15: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/15.jpg)
© Siemens AG 2000Siemens CERT Team
/ 15
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFile And Registry Auditing
![Page 16: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/16.jpg)
© Siemens AG 2000Siemens CERT Team
/ 16
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail – Object Access: File
![Page 17: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/17.jpg)
© Siemens AG 2000Siemens CERT Team
/ 17
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFile System Access Types
Full control Modify
Read&Execute, List folders Read Write
Traverse folder / Execute file x x xList folder / Read data x x x xRead attributes x x x xRead extended attributes x x x xCreate files / Write data x x xCreate folders / Append data x x xWrite attributes x x xWrite extended attributes x x xDelete subfolders and files xDelete x xRead permissions (READ_CONTROL) x x x x xChange permissions (WRITE_DAC) xTake ownership (WRITE_OWNER) xSynchronize x x x x x
![Page 18: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/18.jpg)
© Siemens AG 2000Siemens CERT Team
/ 18
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamRegistry Access Types
� Query Value� Set Value� Create Subkey� Enumerate Subkeys� Notify
� Create Link� Delete� Write DAC� Read Control
![Page 19: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/19.jpg)
© Siemens AG 2000Siemens CERT Team
/ 19
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamUse of User Rights
![Page 20: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/20.jpg)
© Siemens AG 2000Siemens CERT Team
/ 20
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team27 User Rights
Take ownership of files or other objects – SeTakeOwnershipPriv.
Log on as a Service –SeServiceSID
Create permanent shared objects –SeCreate PermanentPrivilege
Shut down the system –SeShutdownPriv.
Log on as a batch job –SeBatchSID
Create a token object –SeCreateTokenPrivilege
Restore files and directories –SeRestorePriv.
Lock pages in memory –SeLockMemoryPriv.
Create a pagefile –SeCreatePagefilePrivilege
Replace a process level token –SeAssignPrimaryTokenPriv.
Load and unload device drivers –SeLoadDriverPrivilege
Change the system time –SeSystemTimePrivilege
Profile system performance –SeSystemProfilePriv.
Increase scheduling priority –SeIncreaseBasePriorityPriv.
Bypass traverse checking –SeChangeNotifyPrivilege
Profile single process –SeProfileSingleProcessPriv.
Increase quotas –SeIncreaseQuotaPrivilege
Backup files and directories –SeBackupPrivilege
Modify firmware environment values –SeSystemEnvironmentPriv.
Generate security audits –SeAuditPrivilege
Add workstation to domain –SeMachineAccountPrivilege
Manage auditing and security -SeSecurityPrivilege
Force shutdown from a remote system –SeRemoteShutdownPrivilege
Act as part of the operating system -SeTcbPrivilege
Log on locallyDebug programs –SeDebugPrivilege
Access this Computer from Network
![Page 21: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/21.jpg)
© Siemens AG 2000Siemens CERT Team
/ 21
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail – Use of User Rights
![Page 22: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/22.jpg)
© Siemens AG 2000Siemens CERT Team
/ 22
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamUser and Group Management
![Page 23: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/23.jpg)
© Siemens AG 2000Siemens CERT Team
/ 23
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail – User and Group Management
![Page 24: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/24.jpg)
© Siemens AG 2000Siemens CERT Team
/ 24
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamSecurity Policy Changes
![Page 25: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/25.jpg)
© Siemens AG 2000Siemens CERT Team
/ 25
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail - Policy Change
![Page 26: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/26.jpg)
© Siemens AG 2000Siemens CERT Team
/ 26
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamRestart, Shutdown, and System
![Page 27: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/27.jpg)
© Siemens AG 2000Siemens CERT Team
/ 27
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail: Restart, Shutdown, and System
![Page 28: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/28.jpg)
© Siemens AG 2000Siemens CERT Team
/ 28
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamStarting NT – Authentication and Trusted Logon
![Page 29: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/29.jpg)
© Siemens AG 2000Siemens CERT Team
/ 29
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess Tracking
![Page 30: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/30.jpg)
© Siemens AG 2000Siemens CERT Team
/ 30
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess Ids II
![Page 31: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/31.jpg)
© Siemens AG 2000Siemens CERT Team
/ 31
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess IDs II
![Page 32: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/32.jpg)
© Siemens AG 2000Siemens CERT Team
/ 32
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess IDs III – Windows 2000
![Page 33: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/33.jpg)
© Siemens AG 2000Siemens CERT Team
/ 33
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess IDs IV – Windows 2000
![Page 34: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/34.jpg)
© Siemens AG 2000Siemens CERT Team
/ 34
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamOne Click - Many Security Events
Audit Logs for a new user account:
� Event 632: Global Group Member Added
� Event 624: User Account Created
� Event 642: User Account Changed
� Event 636: Local Group Member Added
![Page 35: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/35.jpg)
© Siemens AG 2000Siemens CERT Team
/ 35
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamAdditional Auditing settings
� Auditing Backup and Restore ActivitiesKey: HKLM\System\CCS\Control\Lsa\Data: FullPrivilegeAuditingType: REG_BINARYValue: 1
� Base Object AuditingKey: HKLM\System\CCS\Control\Lsa\Data: AuditBaseObjectsType: REG_DWORDValue: 1
![Page 36: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/36.jpg)
© Siemens AG 2000Siemens CERT Team
/ 36
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team“Account Lockout Event” stored on PDC
� Windows NT 4.0 SP4+
When a user enters too many incorrect passwords in an attempt to log on to a domain, the account is locked out and an event is written to the workstations security logs (if auditing is enabled here). With SP4 this event is also written to the PDC security log.
![Page 37: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/37.jpg)
© Siemens AG 2000Siemens CERT Team
/ 37
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamAudit Policy
![Page 38: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/38.jpg)
© Siemens AG 2000Siemens CERT Team
/ 38
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Log Settings
![Page 39: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/39.jpg)
© Siemens AG 2000Siemens CERT Team
/ 39
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLesson learnt
� You can get a lot of information from the logs� Not all infomation is relevant� Some information is wrong� You can‘t get too much information about logging from MS
![Page 40: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/40.jpg)
© Siemens AG 2000Siemens CERT Team
/ 40
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFilter Suspicious Events from all Events
Event IDs� 512 - Windows NT is starting up� 513 - Windows NT is shutting down � 517 - The audit log was cleared� 528 - Successful logon� 529 - Unknown user name or bad
password� 530 – Account logon time restriction
violation� 531 - Account currently disabled� 532 - The specified user account
has expired� 533 - User not allowed to log on at
this computer� 534 – User has not been granted
the requested logon type
� 535 - The specified account‘spassword has expired
� 536 – The NetLogon component isnot active
� 537 – An unexpected erroroccured during logon
� 538 – User Log off� 539 - Account locked out� 576 - Special privileges assigned
to new logon� 608 - User Right Assigned� 609 - User Right Removed� 612 - Audit Policy Change� 624 - User Account Created� 643 - Domain Policy Changed
![Page 41: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/41.jpg)
© Siemens AG 2000Siemens CERT Team
/ 41
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamSuspicious Auditing Events
� Failed LogonEvent ID – 529
Administrator and„Well Known Accounts“
![Page 42: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/42.jpg)
© Siemens AG 2000Siemens CERT Team
/ 42
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFilter Suspicious Events from all Events
![Page 43: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/43.jpg)
© Siemens AG 2000Siemens CERT Team
/ 43
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamDeficiencies of NT Logging
� Portscans can not be detected� BOF – Back Officer Friendly (NFR)
http://www.nfr.com� Nuke Nabber 2.9a (Dynamsol)
http://www.dynamsol.com/puppet/� NetMonitor v0.90 (LeechSoftware)
http://www.leechsoftware.com� BlackICE
http://advide.networkice.com
� Workstation logs are kept locally� See next slide
![Page 44: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/44.jpg)
© Siemens AG 2000Siemens CERT Team
/ 44
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLogging Host
� EvntSLog 2.0� NTSlog 1.02, 2.0� NTOLog
� Siemens CERT
![Page 45: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/45.jpg)
© Siemens AG 2000Siemens CERT Team
/ 45
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFurther Tools
� Lservers (NT Objectives, Inc.) � NPList (NT Objectives, Inc.)� WDumpEvt 1.2� ELDump 0.12� ELSaveClr� NTLast� Tripwire 2.1 for Windows NT
![Page 46: ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r Restore files and directories – E m e r g e n c y R e s p o n s e T e a m 27 User Rights](https://reader030.fdocuments.in/reader030/viewer/2022011912/5fa17a901780b3497f443a13/html5/thumbnails/46.jpg)
© Siemens AG 2000Siemens CERT Team
/ 46
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLiterature etc.
� MS Knowledgebase:Q174073, Auditing User AuthenticationQ174074, Security Event DescriptionsQ163905, Auditing User Right Assignment ChangesQ101366, Definition and List of Windows NT Advanced User Rightset al.found at http://support.microsoft.com/support/search/c.asp
� Books etc.:Microsoft – Windows NT 4.0 Security, Audit and Control
Microsoft Press – Microsoft Technical ReferenceWindows NT Windows NT Server Resource Kit 4.0Visual C++: winnt.h