Using WinReporter to perform security audits on Windows TM networks



Similar documents
Patch management with WinReporter and RemoteExec

UserLock vs Microsoft CConnect

Cyber Security: Beginners Guide to Firewalls

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

GFI White Paper PCI-DSS compliance and GFI Software products

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

Firewalls Overview and Best Practices. White Paper

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Intrusion Detections Systems

Information Technology Security Review April 16, 2012

Network Management and Monitoring Software

Cyber Security Metrics Dashboards & Analytics

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

A Decision Maker s Guide to Securing an IT Infrastructure

SANS Top 20 Critical Controls for Effective Cyber Defense

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

System Security Policy Management: Advanced Audit Tasks

Detecting rogue systems

ManageEngine Desktop Central Training

Endpoint Security Management

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Enterprise Computing Solutions

Don t skip these expert tips for making your firewall airtight, bulletproof and fail-safe. 10 Tips to Make Sure Your Firewall is Really Secure

2012 North Dakota Information Technology Security Audit Vulnerability Assessment and Penetration Testing Summary Report

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Banking Security using Honeypot

Global Partner Management Notice

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Protecting Your Organisation from Targeted Cyber Intrusion

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Feedback Ferret. Security Incident Response Plan

Streamlining Web and Security

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

End-user Security Analytics Strengthens Protection with ArcSight

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Bio-inspired cyber security for your enterprise

Cisco Security Optimization Service

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Network Security Policy

IDS / IPS. James E. Thiel S.W.A.T.

Data Security Incident Response Plan. [Insert Organization Name]

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

CERT 1 System and Network Security Practices i

CNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

Chapter 4 Application, Data and Host Security

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

Industrial Communication. Securing Industrial Wireless

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Security Policies and Procedures The Final Hurdle

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Guideline for department and agency implementation of the Information Security Penetration Testing standard SEC/STD/03.

Cyber Self Assessment

Network Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering

Effective Software Security Management

Guide to Vulnerability Management for Small Companies

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

24/7 Visibility into Advanced Malware on Networks and Endpoints

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

Marlicia J. Pollard East Carolina University ICTN 4040 SECTION 602 Mrs. Boahn Dr. Lunsford

Network and Host-based Vulnerability Assessment

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

FIVE PRACTICAL STEPS

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

PCI Compliance for Healthcare

Security Considerations in Cloud Deployments Matthew Garrett

The Ten Most Important Steps You Can Take to Protect Your Windows-based Servers from Hackers

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Technical Testing. Network Testing DATA SHEET

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

PCI DSS 3.1 and the Impact on Wi-Fi Security

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

VMWARE Introduction ESX Server Architecture and the design of Virtual Machines

Passing PCI Compliance How to Address the Application Security Mandates

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Does your Citrix or Terminal Server environment have an Achilles heel?

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Infinity Acute Care System monitoring system

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities

Information Security Organizations trends are becoming increasingly reliant upon information technology in

Website Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions

Transcription:

White Paper Using WinReporter to perform security audits on Windows TM networks This document reviews how IS Decisions WinReporter enables Windows systems & networks administrators to conduct the following security tasks : Vulnerability assessment Host based intrusion detection Forensic investigation TECHNOPÔLE IZARBEL - CRÉATICITÉ - BÂTIMENT A - BP 12-64210 BIDART (FRANCE) TEL. : +335.59.41.42.20 - FAX : +335.59.41.42.21 - info@isdecisions.com - www.isdecisions.com

WinReporter rational: the Swiss Army knife approach WinReporter is the perfect tool to provide network administrators with an accurate picture of their infrastructure. WinReporter offers a set of 58 predefined reports that will help the network administrator in his audit and monitoring tasks: hardware upgrades, software updates and licensing, security checks, etc. WinReporter goes further and lets the network administrator drill down through all the information with specific queries. Even though WinReporter is a general purpose administration tool, its powerful capabilities allow the network administrator to conduct security specific tasks. In the remainder of this paper, we will narrow our focus on the security capabilities of WinReporter. Never underestimate internal threats Experience has shown that about 80% of network attacks originate from insiders. This is the consequence of a neglected internal network security. Too often such security does not even exist. Missing patches, poor configurations and trust relationships are avenues for unskilled successful attacks. Corporate networks are often qualified as hard and crunchy outside, smooth and chewy inside A legitimate user within the company already has access to internal resources, does not have to defeat any firewall, or to cover its tracks. Worst, should an external attacker gain an unnoticed access to the network, how could network administrators detect their subsequent actions? To counter such internal threats, specific measures have to be implemented, and even though WinReporter s first mandate is not security auditing, WinReporter can dramatically improve the overall security of your infrastructure. WinReporter added value Virtually all available information about the network is gathered by WinReporter. This information ranges from hardware to software configuration. Additionally, WinReporter can collect all event log information. Event log management is the pillar of many security detective measures, and it is a good practice to audit all events logs. However, this is easier said than done. Windows is good at collecting event logs, although when it comes to boil down tons of logs to timely get the right information, Windows falls short: The relevant information is scattered all over the network s nodes. The provided information is far too insufficient. Should the node be compromised, the log information could be lost. Filtering and reporting capabilities are really poor. WinReporter fills the gap. It offers event log management in addition to its powerful configuration scanning capabilities. Once this information is pieced together, network administrators have a mighty mean to monitor every single event that might occur within the network. 2

WinReporter as a security tool What makes WinReporter so powerful is its great flexibility: WinReporter s features allow network administrators to conduct the following security tasks: Vulnerability assessment Host based intrusion detection Forensic investigation And to focus on what really matters: getting comprehensive and reliable information, and being able to discriminate what is really relevant. To demonstrate such a statement, let s will examine each of these cases in turn. Vulnerability assessment with WinReporter As a part of risk mitigation process, and in order to quantify the risk that his organization is running, a network administrator has to evaluate what are the infrastructure s vulnerabilities that an attacker could exploit. Here is where things get complicated Based on the principal that an attacker will exploit the weakest link in the infrastructure s security chain, network administrators have to consider any flaw that could appear anywhere in hardware or software. The genuine strength of WinReporter is that it gathers and exploits all kind of information. Wisely used, it will let the network administrator uncover a number of flaws. WinReporter identifies security breaches and alerts network administrators to weaknesses before an attacker can find them. This gives network administrators a unique opportunity to remove or mitigate these flaws before an attacker could exploit them. WinReporter provides in-depth information about security sensitive configurations such as: Missing updates: Service Packs and hotfixes installed. How to proceed: Reporter > Reports > Windows > Versions & updates > Windows versions & updates Software that poses a threat: scanner, encryption tools, peer to peer files exchange software. How to proceed: Reporter> Software > Software policy analysis Unusual user or group accounts How to proceed: Reporter > Reports > Windows > Security > Users in groups Reporter > Reports > Windows > Security > Local accounts analysis Reporter > Reports > Windows > Security > Local administrator analysis Unauthorized device detection: rogue modem, NIC, wireless devices, floppy drives How to proceed: Reporter > Reports > Hardware > Devices > Devices > network adapter modem floppy drive Unmanaged shared folders How to proceed: Reporter > Reports > Windows > System > Shares analysis Reporter > Reports > Windows > System > Share permissions FAT partitions without access control means How to proceed: Reporter> Reports > General > General Report > Disk Partitions Unusual or dangerous services How to proceed: Reporter> Reports > Windows > System > Services analysis 3

WinReporter is also a great mean to monitor other issues such as licensing or copyright control: Amount of instances of a given software How to proceed: Reporter > Software > Install Analysis Peer to peer file exchange software that might waste network resources How to proceed: Reporter > Software > Software policy analysis This short list is far from being exhaustive. WinReporter is designed with flexibility in mind, to better meet all organizations needs in terms of network monitoring. Host based intrusion detection with WinReporter In extended networks, information is scattered amongst all computers, and there is no convenient way to interpret this useful information. WinReporter fills the gap left by Microsoft; it pushes further Windows auditing capabilities to emulate a host based intrusion detection system (HIDS). A firewall is just the first line of defence of a network: a good start to ensure network security, but just the start, and by itself, insufficient. Typically, best practices recommend using firewalls in conjunction with IDSs. IDSs come in two flavours, network based and host based. Both should be used since they address different threats. WinReporter can perform the host based part of intrusion detection. Thanks to WinReporter versatility, network administrators can monitor all events occurring on network s computers. Since this is done using Windows auditing native capabilities, host monitoring does not hurt performance and remains cost-effective. WinReporter capabilities provide an accurate picture of all occurred events. Regular scans will reveal any sensitive information such as: User session information, logon/logoff activity How to proceed: Reporter > Reports > Eventlog Report > Connections > Session history Process tracking How to proceed: Reporter > Reports > Eventlog Report > Process Tracking Access control events How to proceed: Reporter > Reports > Eventlog Report > File Access Report Computer reboot events How to proceed: Reporter > Reports > Eventlog Report > Computers start & shutdown Close security events monitoring How to proceed: Reporter > Reports > Eventlog Report > Generic Event Report All attacks leave tracks, therefore suspicious behavior can be timely detected and necessary measures can be taken. However, highly sensitive computers deserve real time monitoring. WinReporter can detect changes once a scan is performed, not in real time. To address this specific issue IS Decisions provides another tool called EvenTrigger that monitors host events in real time and notifies network administrators right away. 4

Forensic investigation with WinReporter No network is 100% secure. Information security is a trade-off between usability and protection; hence, sometimes the network is compromised. Even when things have gone wrong WinReporter can help network administrators discover what happened. Scanning the network and storing that information on a regular basis is mandatory to support accountability, legal investigations, and internal trends analysis. This lets network administrators know in great details what a given user did in the past. Where and when did he log How to proceed: Reporter > Reports > Event Reports > Connections > Sessions history What process did he run How to proceed: Reporter > Reports > Event Reports > Process Tracking How and which file did he access How to proceed: Reporter > Reports > Event Reports > File Access Report This monitoring capability makes every user of the network accountable including the administrator group. How to push your investigation further with WinReporter So far, we have covered how to use the readily available reports of WinReporter in information security context. However, there is more you can do with WinReporter, and savvy administrators can go further. WinReporter gives administrators full access to its internal database: thanks to this remarkable feature, administrators can fine-tune their queries and drill down on worthy information. This capability is all administrators need to spot missing critical information as well as more straightforward searches. For instance, an administrator might want to pinpoint who ran which binaries to start a given service on a specific workstation. This looks a bit cumbersome; however it could be an efficient way to discover who has planted backdoor software on that workstation. WinReporter makes network administrators lives easier, just run: Reporter > Tables > services and go for wanted service. A more every-day issue is copyright liability. In order to make sure that no mp3 file is stored somewhere in the network; all the network administrator has to do is run: Reporter > Tables > realfiles and search for *mp3 files. WinReporter can work hand in hand with dedicated security tools. The netcards table provides the network administrator with all authorized MAC addresses. If a network sniffer detects a packet with a MAC different from a trusted MAC, the likelihood of an ongoing attack is high. Conclusion In today s networked business environment, it is essential to mitigate infrastructure vulnerabilities, and track security related activities in order to respond promptly to intrusion attempts, and hold everyone accountable. Windows does not provide such capabilities, and to achieve such a mandate one needs to acquire a third party software specialized in that area. A cost-effective solution is to make the best use of generic powerful tool such as WinReporter. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information