Log Management and Intrusion Detection



Similar documents
PLANNING AND DESIGNING GROUP POLICY, PART 1

Contents. Supported Platforms. Event Viewer. User Identification Using the Domain Controller Security Log. SonicOS

Hands-On Microsoft Windows Server 2008

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

4cast Client Specification and Installation

Find the Who, What, Where and When of Your Active Directory

ACTIVE DIRECTORY DEPLOYMENT

Windows Security Scoring Tool Implementation Guide v2.0.1

Windows NT Server Operating System Security Features Carol A. Siegel Payoff

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

NETWRIX ACCOUNT LOCKOUT EXAMINER

Introduction. Activating the CFR Module License. CFR Configuration

NETWRIX IDENTITY MANAGEMENT SUITE

Guide to deploy MyUSBOnly via Windows Logon Script Revision 1.1. Menu

NETWRIX WINDOWS SERVER CHANGE REPORTER

NetWrix Account Lockout Examiner Version 4.0 Administrator Guide

Advanced Audit Policy Configurations for LT Auditor+ Reference Guide

Secrets of Event Viewer for Active Directory Security Auditing Lepide Software

Pearl Echo Installation Checklist

How to monitor AD security with MOM

Xcalibur. Foundation. Administrator Guide. Software Version 3.0

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Table of Contents WELCOME TO ADAUDIT PLUS Release Notes... 4 Contact ZOHO Corp... 5 ADAUDIT PLUS TERMINOLOGIES... 7 GETTING STARTED...

Microsoft Auditing Events for Windows 2000/2003 Active Directory. By Ed Ziots Version 1.6 9/20/2005

Integrating LANGuardian with Active Directory

Installation Instruction STATISTICA Enterprise Server

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

Objectives. At the end of this chapter students should be able to:

2. Using Notepad, create a file called c:\demote.txt containing the following information:

Outpost Network Security

Administration Guide ActivClient for Windows 6.2

Dell InTrust Auditing and Monitoring Microsoft Windows

Dell Active Administrator 7.5. Install Guide

Server Manager Performance Monitor. Server Manager Diagnostics Page. . Information. . Audit Success. . Audit Failure

Migration Strategies and Tools for the HP Print Server Appliance

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Windows Server 2008 (Domain Member Servers and Domain Controllers)

LT Auditor+ for Windows

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Deployment of Keepit for Windows

Course 6425B: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Active Directory Change Notifier Quick Start Guide

Installation Guide - Client. Rev 1.5.0

Sophos Anti-Virus for NetApp Storage Systems startup guide

Alpha High Level Description

Windows Domain Network Configuration Guide

Getting started. Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers

Windows Logging Configuration: Audit Policy Configuration

EVENT VIEWER IN WINDOWS 7

WhatsUp Gold v16.1 Installation and Configuration Guide

EMC Celerra Network Server

Understanding Task Scheduler FIGURE Task Scheduler. The error reporting screen.

Windows XP Service Pack 2 Windows Firewall Group Policy Setup for Executive Software Products

The Institute of Internal Auditors Detroit Chapter Presents

Symantec Backup Exec TM 11d for Windows Servers. Quick Installation Guide

How to Manage a Windows NT Server Computer Remotely

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

DriveLock Quick Start Guide

CLIENT CERTIFICATE (EAP-TLS USE)

NetWrix Logon Reporter V 2.0

Browser-based Support Console

Download/Install IDENTD

NetWrix Password Manager. Quick Start Guide

Web-Access Security Solution

Embarcadero Performance Center 2.7 Installation Guide

Activity 1: Scanning with Windows Defender

Symantec AntiVirus Corporate Edition Patch Update

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

Create, Link, or Edit a GPO with Active Directory Users and Computers

Migrating helpdesk to a new server

NETWRIX USER ACTIVITY VIDEO REPORTER

Windows Operating Systems. Basic Security

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

SystemTools Software Inc. White Paper Series Hyena Installation Requirements

TROUBLESHOOTING INCORRECT REPORTING OF THE WHO CHANGED PARAMETER

LifeSize Control Installation Guide

Understand Troubleshooting Methodology

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Kaseya Server Instal ation User Guide June 6, 2008

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

Ecora Enterprise Auditor Instructional Whitepaper. Who Made Change

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

How to deploy SurveilStar PC/Internet Monitoring Software

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

CLEO NED Active Directory Integration. Version 1.2.0

YubiKey PIV Deployment Guide

Technical documentation: SPECOPS PASSWORD POLICY

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

Server Edition Administrator s Guide

Using Windows Administrative Tools on VNX

SWCS 4.2 Client Configuration Users Guide Revision /26/2012 Solatech, Inc.

Moving the TRITON Reporting Databases

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

NetBackup Backup, Archive, and Restore Getting Started Guide

Transcription:

Log Management and Intrusion Detection Dr. Guillermo Francia,, III Jacksonville State University Prerequisites Understand Event Logs Understand Signs of Intrusion Know the Tools Log Parser (Microsoft) Windows scripts (Microsoft) PS Tools Suite (SysInternals( SysInternals) Java, NetBeans,, and JFreeChart Event Log Service Automatically started in Windows Application and system log files are viewable by users Security log files are restricted to administrators Security logging is turned off by default Log Types in Windows Application log (AppEvent.evt) events logged by applications. Security log (SecEvent.evt) contains records of valid and invalid logon attempts and events related to resources use, such as creating, opening, or deleting files or other objects. System log (SysEvent.evt) contains system component event. Driver failures and hardware issues. 1

Log Types in Windows Directory Service log (NTDS.evt) Log for active directory services File replication log (NtFrs.evt) contains windows File Replication service events and Sysvol changes DNS logs (DnsEvent.evt) DNS event logs are stored in DNS servers Log Information* Errors Warnings Information Successful audit Failed audits * A major challenge is that it may consist of hours of data and gigabyte of information Windows Log Limitations Lack of real time monitoring and alerts Lack of a central log monitoring system Audit trails limited to local security logs Critical events not well defined Critical logs may be overwritten by newer data no efficient archiving process Preservation of log file integrity not well developed Log filtering non existent Windows Log Defaults Stored in the %Windir%\system32\config folder Have a maximum size of 16 MB (Windows Server 2003) or 512 KB (Windows 2000/XP) Overwrite events more than 7 days old 2

Suggested Windows Log Configurations Increase the size* of each event log to at least 50 MB. Change the overwrite behavior for the Security log to Do Not Overwrite Events Change the overwrite behavior for the other event logs to Overwrite Events As Needed Configuring Event Logs Configure the security event logging by Control Panel Administrative Tools Local Security Policy Setup the necessary audit policy *Note: each event is about ½ KB in size. Configuring Event Logs Setup the security options Configuring Event Logs Use the Event Viewer to check the generated events 3

Some Event Types Type 2 : Console logon from local computer. Type 3 : Network logon or network mapping (net use/net view) Type 4 : Batch logon, running of scheduler Type 5 : Service logon a service that uses an account Type 7 : Unlock Workstation Type 10: Remote logon (terminal services, remote desktop) Some Event IDs Event ID 528 : Successful Logon Event ID 529 : Unknown user name or bad password Event ID 530 : Logon time restriction violation Event ID 531 : Account disabled Event ID 532 : Account expired Event ID 533 : Workstation restriction, the user is not allowed to logon at this computer Event ID 534 : Inadequate rights for console login. Event ID 535 : Password expired Event ID 536 : Net Logon service down Event ID 537 : unexpected error Event ID 538 : Logoff Some Event IDs Event ID 539 : Logon Failure: Account locked out Event ID 627 : NT AUTHORITY\ANONYMOUS is trying to change a password Event ID 644 : User account Locked out Event ID 541 : IPSec security association established Event ID 543 : IPSec security association ended (key exchange) Event ID 544 : IPSec security association establishment failed because peer could not authenticate Event ID 545 : IPSec peer authentication failed Event ID 547 : IPSec security association negotiation failed Event ID 672 : Authentication Ticket Granted Event ID 673 : Service Ticket Granted Automating Windows Security Configuration Management To add Security Configuration and Analysis to an MMC console Click Start,, click Run,, then type mmc and click OK. Create a new console, on the File menu, click New. On the File menu, click Add/Remove Snap-in in,, and then, in Add/Remove Snap-in in,, click Add. Click Security Configuration and Analysis and click Add. Click Security Templates and click Add. Click Close,, then click OK. 4

Analyzing Windows Security Right-click Security Configuration and Analysis and click Open Database. Open or Create a database as needed. Right-click Security Configuration and Analysis, and then click Analyze Computer Now. To view the log file, right-click Security Configuration and Analysis, and then click View Log File. Analyzing Windows Security Using secedit in the Command Prompt secedit /analyze /DB FileName [/CFG FileName ] [/log LogPath][ ][/quiet] Where: /DB FileName Path to database security template /CFG FileName Path to at least one security template /log LogPath Path to the log file for the process. /quiet Suppresses screen and log output. 5

Intrusion Detection Objectives of system intrusion Access information Manipulate information Render a system inoperative 100% prevention of system intrusion is unrealistic System penetration and damage can be alleviated by detecting the attempts and implementing preventive measures Intrusion Detection Classification* Attempted break-ins --detected by atypical behavior profiles or violations of security constraints. Masquerade attacks-- --detected by atypical behavior profiles or violations of security constraints. Penetration of system-- --detected by monitoring for specific patterns of activity. Leakage-- --detected by atypical use of system resources. Denial of service-- --detected by atypical use of system resources. Malicious use-- --detected by atypical behavior profiles, violations of security constraints, or use of special privileges. * Steven E Smaha. Haystack: An Intrusion Detection System. In Fourth Aerospace Computer Security Applications Conference, pages 37-44, Austin, Texas, December 1988. A Simple Intrusion Detection System Audit/Log Data Pre-Processing & Normalization Normalized Data System Parameters Add Profile Threshold Reached A Simple Log Visualization System Audit/Log Data Collated & Normalized Data Pre-Processing, Collating, & Normalization Enter Visualization Options Java-Based Visualization System Display Charts Modify Profile Activate Intrusion Alarm 6

Intrusion Detection using Event Log Analysis Failed logons attempts Event ID 529-535, 535, 539 User Account Lockout Event ID 644 Security Enabled Group/Local setting changed Event IDs 631-641 641 User account/password changed Event IDs 627, 628, 642 Succesful Network Logon Event IDs 540 Intrusion Detection using Event Logs User account created/enabled Event ID 624 and 626 Audit policy changed Event ID 612 Domain policy changed Event ID 643 Security log was cleared Event ID 517 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information