WINDOWS FILE AUDITING CHEAT SHEET - Win 7/Win 2008 or later



Similar documents
WINDOWS REGISTRY AUDITING CHEAT SHEET - Win 7/Win 2008 or later

Install the Production Treasury Root Certificate (Vista / Win 7)

SHARING FILE SYSTEM RESOURCES

Windows Security Scoring Tool Implementation Guide v2.0.1

DeviceLock Management via Group Policy

Log Management and Intrusion Detection

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

Wavecrest Certificate

INSTALLING MICROSOFT SQL SERVER AND CONFIGURING REPORTING SERVICES

CONFIGURING MICROSOFT SQL SERVER REPORTING SERVICES

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

DeviceLock Management via Group Policy

How to monitor AD security with MOM

Active Directory Domain Migration Checklist ADUM Active Directory Migrator

How to Configure a Secure Connection to Microsoft SQL Server

How to Configure Microsoft System Operation Manager to Monitor Active Directory, Group Policy and Exchange Changes Using NetWrix Active Directory

Server Manager Performance Monitor. Server Manager Diagnostics Page. . Information. . Audit Success. . Audit Failure

Contents 1. Introduction 2. Security Considerations 3. Installation 4. Configuration 5. Uninstallation 6. Automated Bulk Enrollment 7.

Creating and Managing Shared Folders

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

etoken Enterprise For: SSL SSL with etoken

White Paper. Deployment of ActiveX Controls via Microsoft Windows Active Directory. Fabasoft Folio 2015 Update Rollup 2

Create, Link, or Edit a GPO with Active Directory Users and Computers

ILTA HANDS ON Securing Windows 7

Active Directory Change Notifier Quick Start Guide

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

Chapter. Managing Group Policy MICROSOFT EXAM OBJECTIVES COVERED IN THIS CHAPTER:

LDAP Server Configuration Example

Objectives. At the end of this chapter students should be able to:

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

Security Development Tool for Microsoft Dynamics AX 2012 WHITEPAPER

SmartDraw Installation Guide

PLANNING AND DESIGNING GROUP POLICY, PART 1

Outpost Network Security

TROUBLESHOOTING INCORRECT REPORTING OF THE WHO CHANGED PARAMETER

Sophos Anti-Virus for NetApp Storage Systems startup guide

Microsoft Windows PowerShell v2 For Administrators

Silect Software s MP Author

Alpha High Level Description

Rev. 06 JAN Document Control User Guide: Using Outlook within Skandocs

NETWRIX FILE SERVER CHANGE REPORTER

Learn how to create web enabled (browser) forms in InfoPath 2013 and publish them in SharePoint InfoPath 2013 Web Enabled (Browser) forms

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Managed Antivirus Quick Start Guide

2. Using Notepad, create a file called c:\demote.txt containing the following information:

Lab 5 Managing Access to Shared Folders

Setting Up SSL on IIS6 for MEGA Advisor

NetWrix USB Blocker. Version 3.6 Administrator Guide

NETWRIX EVENT LOG MANAGER

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

Configuring the Active Directory Plug-in

METAmessage Server and Domain Requirements

NetWrix Exchange Change Reporter

A Roadmap for Securing IIS 5.0

Swyx Trace Tool Server Installation

CIFS Permissions Best Practices Nasuni Corporation Natick, MA

Capture Pro Software FTP Server System Output

4cast Server Specification and Installation

Also on the Performance tab, you will find a button labeled Resource Monitor. You can invoke Resource Monitor for additional analysis of the system.

HTTP Server Setup for McAfee Endpoint Encryption (Formerly SafeBoot) Table of Contents

How to install Small Business Server 2003 in an existing Active

Getting started. Symantec AntiVirus Corporate Edition 8.1 for Workstations and Network Servers

Releasing blocked in Data Security

9 Administering Shared Folders

Windows 10 and Enterprise Mobility

Enable SSL for Apollo 2015

Role Based Administration for LDMS 9.0 SP2

Thin Client Manager. Table of Contents. 1-10ZiG Manager. 2 - Thin Client Management. 3 - Remote client configurations. 1 of 16

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

4cast Client Specification and Installation

Secrets of Event Viewer for Active Directory Security Auditing Lepide Software

Ekran System Help File

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

National Security Agency

IIS Deployment Procedures

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

Coveo Platform 7.0. Microsoft Dynamics CRM Connector Guide

Using Management Shell Reports and Tracking User Access in the NetVanta UC Server

GoldKey Software. User s Manual. Revision WideBand Corporation Copyright WideBand Corporation. All Rights Reserved.

DataKeeper Cloud Edition. v7.5. Installation Guide

LAB 1: Installing Active Directory Federation Services

NETWRIX WINDOWS SERVER CHANGE REPORTER

SMART Active Directory Migrator. Desired End State and Project Prerequisites

Active Directory. Users & Computers. Group Policies

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

DriveLock Quick Start Guide

How to use mobilecho with Microsoft Forefront Threat Management Gateway (TMG)

Command-Line Reference

SETUP SSL IN SHAREPOINT 2013 (USING SELF-SIGNED CERTIFICATE)

WhatsUp Gold v16.1 Installation and Configuration Guide

NetWrix SQL Server Change Reporter

File systems security: Shared folders & NTFS permissions, EFS Disk Quotas

Citrix Systems, Inc.

The Windows Server 2003 Environment. Introduction. Computer Roles. Introduction to Administering Accounts and Resources. Lab 2

Como configurar o IIS Server para ACTi NVR Enterprise

Transcription:

This Windows File Auditing Cheat Sheet is intended to help you get started with basic and necessary File and Folder Auditing. This cheat sheet includes some very common items that should have auditing enabled, configured, gathered and harvested for any Log Management, Information Security program or other security log gathering solution. Start with these settings and add to the list as you understand better what is in your logs and what you need to monitor and alert on. WHY AUDIT FILES AND FOLDERS: Files are often added or changed by hackers and malware. By auditing key file and folder locations, any additions or changes made by an attacker can be captured in the logs, harvested by a log management solution and potentially alerted on or gathered during an investigation. Building a base configuration for file and folder auditing provides you a great starting point to build upon. As you mature your logging program, you can build upon and develop it as you find new locations that are important to monitor. We recommend as a part of any Information Security program that you implement and practice Malware Management. You can read more on what Malware Management is and how to begin doing in here: www.malwaremanagement.com The basic idea of Malware Management is, as you find file and folder locations reported in an incident response firm s malware analysis, virus/malware reports and your own incidents and investigations, you can expand on the base auditing listed in this cheat sheet and make it more mature and applicable to your specific needs or requirements. RESOURCES: Places to get more information 1. MalwareArchaeology.com/cheat-sheets - More Windows cheat sheets and scripts to assist in your audit settings. 2. Log-MD.com The Log Malicious Discovery tool reads security related log events and settings. Use Log-MD to audit your log settings compared to the Windows Logging Cheat Sheet and Center for Internet Security (CIS) to help with configuring your audit policy and refine file and registry auditing. List Event ID 4663 to see what files and folders might be noise and can be removed from your audit policy. 3. technet.microsoft.com Information on Windows auditing 4. https://msdn.microsoft.com/en-us/library/bb742512.aspx - Using Security Templates to set audit policies 5. Google! But of course. January 2016 ver 1.0 MalwareArchaeology.com Page 1 of 6

ENABLE AND CONFIGURE:: 1. FILE AUDITING: In order to collect file and folder auditing events (Event ID 4663) you must first apply the settings found in the Windows Logging Cheat Sheet. These settings will allow a Windows based system to collect any events on files and folders that have auditing enabled. CONFIGURE: 1. LOCAL LOG SIZE: Increase the maximum size of your local Security log. Proper auditing will increase log data beyond the default settings, your goal should be to keep local security logs for around 7 days. Security log set to 1GB (1,000,000KB) or larger (yes this is huge compared to defaults) INFORMATION: 1. EVENT ID: There is only one Event ID that will appear in the Security log when file and folder auditing is enabled, 4663. 4663 - An attempt was made to access an object. This is the only Event ID that will record the details of the folder(s) and file(s) created as well as the process name that performed the actions. REFINING AUDITING: When using file and folder auditing, refinement will be needed in order to collect only the entries having actual security value. Enabling folders that have a high rate of changes will fill up your logs causing them to rotate faster than you might want to retain them and miss files you might actually want to catch. In addition, logging more than you need when using a log management solution will have a potential impact to licensing and storage requirements. It is important to test and refine file and folder auditing before applying it across your organization. Use Log-MD to assist you in refining your file and folder audit policy which can be found here: Log-MD.com If you are examining malware in a lab for example, or doing an incident response investigation, over auditing may be perfectly acceptable. Use the built-in Windows wevtutil.exe utility, PowerShell (get-eventlog), a security log tool like Log- MD or your log management solution to review what is being captured and remove files and folders that are excessively noisy and do not have significant security importance. When setting auditing of files and folders there are some decisions on what to monitor. Using Explorer to select the folder and set the auditing manually, you can see what options there are as seen from the image below. The goal of this cheat sheet is to get you started using file and folder auditing on well-known folders and to enable just enough to provide security value, but not too much as to create a lot of useless noise. What follows is our recommendation to get started which you may tweak and improve as you need. The main goal is to look for things that are newly added by hackers and/or malware. Monitoring for all changes is rather noisy and excess noise could cause you to miss a simple file creation. January 2016 ver 1.0 MalwareArchaeology.com Page 2 of 6

CONFIGURE: These are the only items that are recommended be set to optimize what is needed security wise and keep noise to a minimum. You may expand on these settings as necessary for your environment, but these settings are a good place to start. User: Applies to: EVERYONE This folder, subfolders and files Audit all items in this folder and all subfolders OR This folder and files - Audit only the files in this folder and NOT the subfolders CONFIGURE: Select a Folder or file you want to audit and monitor. Right-Click the Folder, select Permissions Advanced Auditing Add EVERYONE (check names), OK. 1. Apply onto THIS FOLDER and FILES or THIS FOLDER, SUBFOLDERS and FILES (or what you want/need). 2. Select Create files / write data, Create folders / append data, Write extended attributes, Delete, Change permissions & Take ownership to audit. 3. Be careful, setting auditing to This folder, subfolders and files as this can generate a lot of data and thus noise. Access: Only select these items to keep down on the noise Create files / write data File created Create folders / append data Folder created Write extended attributes Metadata that can be placed in a file Delete File is deleted Change permissions permissions of a file change Take ownership ownership changed January 2016 ver 1.0 MalwareArchaeology.com Page 3 of 6

CONFIGURE: Recommend Folder and Files to enable auditing on 1. FOLDERS TO AUDIT: THIS FOLDER AND FILES ONLY: Do NOT audit subfolders on these directories C:\Program Files C:\Program Files\Common Files C:\Program Files (x86) C:\Program Files (x86) \Common Files C:\ProgramData C:\Windows C:\Windows\System32 C:\Windows\System32\Drivers C:\Windows\System32\Drivers\etc C:\Windows\System32\Sysprep C:\Windows\System32\wbem C:\Windows\System32\WindowsPowerShell\v1.0 C:\Windows\Web C:\Windows\SysWOW64 C:\Windows\SysWOW64\Drivers C:\Windows\SysWOW64\wbem C:\Windows\SysWOW64\WindowsPowerShell\v1.0 THIS FOLDER, SUBFOLDERS AND FILES: C:\Boot C:\Perflogs Any Anti-Virus folder(s) used for quarantine, etc. C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup C:\Users\Public C:\Users\*\AppData\Local C:\Users\*\AppData\Local\Temp C:\Users\*\AppData\LocalLow C:\Users\*\AppData\Roaming C:\Windows\Scripts C:\Windows\System C:\Windows\System32\Tasks C:\Windows\system32\config\systemprofile\AppData C:\Windows\sysWOW64\sysprep C:\Windows\ syswow64\config\systemprofile\appdata January 2016 ver 1.0 MalwareArchaeology.com Page 4 of 6

CONFIGURE:: EXCLUDE NOISY ITEMS: These folders will create events that do not provide much value. After setting auditing on the parent folder, remove auditing from these folders and any other files and folders you find overly noisy with little security benefit. C:\ProgramData\Microsoft\RAC\Temp C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf C:\ProgramData\Microsoft\RAC\StateData\RacDatabase.sdf C:\ProgramData\<Anti-Virus>\Common Framework Insert your AV folder(s) C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log C:\Users\*\AppData\Local\GDIPFONTCACHEV1.DAT C:\Users\*\AppData\Local\Google\Chrome\User Data C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_* C:\Users\*\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 C:\Users\*\AppData\Local\Microsoft\Office C:\Users\*\AppData\Local\Microsoft\Outlook C:\Users\*\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis C:\Users\*\AppData\Local\Mozilla\Firefox\Profiles C:\Users\*\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Users\*\AppData\Roaming\Microsoft\Excel C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache Any other normal applications that you have installed that produce a lot of log entries without significant security value. OPTIONS TO SET FILE AUDITING: There are four ways to set file and folder auditing on each folder: 1. Create a security template that is applied using Group Policy and/or secedit. This is the most effective way of doing it for a large amount of systems. a. https://msdn.microsoft.com/en-us/library/bb742512.aspx 2. Set with a PowerShell script. Though this method does not work on certain directories owned by TrustedInstaller and changing the ownership is not recommended 3. Set with a SetACL.exe, a utility by www.helgeklein.com 4. Set manually via Explorer. This does not scale as each system must be set manually, but may be fine for a malware lab or investigation of a single or a few systems. January 2016 ver 1.0 MalwareArchaeology.com Page 5 of 6

USING SECURITY TEMPLATES TO SET AND REMOVE FILE AUDITING: The following is how to create a Security template using the Microsoft Management Console (MMC). To create a custom security template using the MMC snap-in: 1. Open the MMC console, choose Start, and then choose Run 2. Type mmc in the Open box, and then choose OK 3. From the File menu, choose Add/Remove Snap-in 4. Select Add/Remove Snap-in dialog box, choose Add 5. Select the list of available snap-ins, select Security Templates, choose Add, choose Close, and then choose OK 6. In the MMC main window, under the Console Root node, expand the Security Templates node, right-click the root templates folder, and then choose New Template 7. Type a name and description for the template, and then choose OK 8. Choosing OK saves your template as an.inf file in: C:\Users\<username>\Documents\Security\Templates Or you may save them anywhere you would like 9. Add each folder and/or file you want to audit with the appropriate audit settings listed above CHECK THE AUDITING OF A FOLDER OR FILE: 1. To check what the file auditing for a given folder or file is set to, use the following PowerShell script: Check_Auditing_Settings_File_Folder.ps1 Check the auditing set on a specific folder or file Available at www.malwarearchaeology.com/logging January 2016 ver 1.0 MalwareArchaeology.com Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information