Windows 2000/2003 Server Auditing
Download
Report
Transcript Windows 2000/2003 Server Auditing
Windows 2000/2003 Server
Auditing
Rob Hoffpauir
MCSE / CCSA / ACE / NNCSS
[email protected]
Brief Intro
Who am I?
7/20/2015
Been in the IT industry for about 12 years
Worked with security systems for about 8 years
Experience with Windows 3.x, 9x, NT 3.51, NT 4.0,
2000, XP & 2003
Experience with Checkpoint, Nokia, Nortel & Linux
Familiar with both the public and private sectors
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
2
Topics
Documentation
Account Policies
Logon Process
Access Control
Services
Vulnerability Control
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
3
Getting to Know the Environment
Interview key personnel
Obtain documentation on:
Security Baseline Policy
GPO Settings (Verify using the GPMC & GPResult tool from Microsoft)
Forest(s)
Domain(s)
Trust(s)
Review the setup of Active Directory.
Determine if the check-off box for "override allowed" is correctly
administered
Verify if GPO matches Baseline Policy
Institute a Baseline verification policy and routine (automate if possible)
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
4
Account Policies
Review account policies (i.e. password controls) for compliance with
corporate policy
User accounts should have a password with a minimum of six characters
Passwords should contain lower and upper case, numbers and special
characters
Users should be prevented from using their last 8 - 10 passwords
Password should not be the same as the user ID
Forced lockout after three attempts to logon
Change Passwords every 60 days (exceptions for system and service
accounts may be granted on a case-by-case basis)
Kerberos ticket renewals - Make sure that tickets are being renewed
Local account policies - Select a sample of servers to review local account
policies for compliance with security policies and procedures
Verify that SNMP Community Strings are not public, private or blank if
applicable
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
5
Dormant or Disabled Accounts
Review dormant and disabled accounts.
Obtain the following reports:
7/20/2015
User accounts that are disabled
User accounts that are locked out
User accounts that have not logged into the domain
within the last 60 days.
User accounts that have not changed their passwords
within the last 60 days.
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
6
Terminated Employees
Obtain a listing of employees who terminated
their employment with the company within the
last six months.
Determine if any of these employees still have
system access.
A policy and procedure for terminations should
be in place and followed.
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
7
Password Review
Determine if users are selecting strong
passwords
Perform a password assessment
Test for the following:
password the same as the user ID
blank passwords
company name/initials
other easily guessed password scenarios (use word list)
Note: Best practices dictate that a password review should be
conducted at least quarterly
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
8
Additional Password Controls
Determine that users are aware of how to
contribute to a secure network environment.
Obtain the following reports:
Users with a password that cannot be changed.
Users with a password that never expires
Users who do not require a password.
Has the built in guest account been disabled and
renamed?
Has the default administrator account been
renamed?
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
9
Login Process
Review the login process to make sure that it
meets Company policy.
Is the username of the last user displayed?
Is there a warning banner?
Is Auto Logon Used?
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
10
Warning Banner
Their purpose is essentially to act as a "No Trespassing" sign, and to
establish consent to monitoring. The Federal computer crime law, 18 USC
1030, makes it a crime to INTENTIONALLY access a computer without
authorization. Thus, you need to do SOMETHING to prove that the hacker
knew, or reasonably should have known that they were accessing without
authorization.
There is NO case that says that a "welcome" screen necessarily invites a
trespass, any more than a welcome mat is an invitation to smash the
window. But some state laws are screwy. The New York State computer
crime law, NY Penal Code Section 156 (6), requires that, before you can be
prosecuted for using a computer service without authorization, the
government has to prove that the owner has given actual notice to
potential hackers or trespassers, either in writing or orally. In the absence
of such notice in New York, the hacker can presume that he or she has
authorization to proceed, under state law. La. Rev. Stat. Ann. §§ 14:73.1
to 14:73.5 http://www.legis.state.la.us/lss/lss.asp?doc=78652 defines
computer crime in Louisiana, and does not appear to contain a "simple
trespass" provision. Nevertheless, it is still a good idea to define the
parameters of authorization and lack thereof.
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
11
Warning Banner (con’t)
Another reason for a warning banner is to give you consent to
monitor communications. Federal laws, 18 USC 2511 and 18 USC
2701 generally make it a crime to monitor communications -- even
electronic communications -- without the consent of one of the
parties to the communication. Louisiana law is similar. La. Rev.
Stat. §15:1303 Thus your warning banner should also say "by
using this system you are agreeing to comply with the relevant
polices of COMPANYNAME, and are specifically consenting to
monitoring of your activities consistent with these policies. A copy
of these policies may be obtained at http://www.company..... or by
calling Jane Doe."
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
12
Auto Admin Logon
Review registry dump to determine whether the
auto admin logon registry entry is used.
The use of this key embeds the password in the
registry in plain text.
If this process is required, check the ACLs of the
registry key.
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
13
Access Control
Review Group Membership
Review User Rights
Review Access Control List (ACLs)
Review access to Administrative (Hidden) Shares
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
14
Review membership to powerful groups
Domain Administrators
Administrators
Backup Operators
Server Operators
Account Operators
Enterprise Administrators
Schema Administrators
Cert. Publishers
DHCP Administrators
DNS Administrators
DNS Update Proxy
Group Policy Creator Owners
IIS_WPG
Incoming Forest Trust Builders
Network Configuration Operators
RAS and IAS Servers
Replicator
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Telnet Clients
Anonymous Logon (system group)
Interactive
Network
Note: A user can be given admin rights without being a member of
the admin group.
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
15
User Rights
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
16
User Rights
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
17
Access Control List (ACLs)
Registry Key Permissions
Share Permissions
NTFS Permissions
Nesting of Groups
7/20/2015
Assign Local groups (or Domain Local) to resources
Assign User accounts to Domain groups
Place Domain groups into Local groups
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
18
Administrative Shares
Review ACLs for
C$, D$ (drive letter followed by the $ sign)
Admin$
Administrative shares should only be used by
administrators
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
19
Everyone Group
Review access granted to the Everyone group
Review shares in connection with the access
review to determine if the Everyone group truly
has access to specific directories
Note: When a share is setup, read access for everyone is the default
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
20
Review Services
Review the standard services that run on the
different servers (i.e. Domain Controllers, Web
Servers, Application Servers, etc.).
Make sure there is a business need for each
service.
Note: If the start up of a service is set to "Manual", an attacker could
send a command to startup the service and exercise a vulnerability
against it.
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
21
IIS
IIS is installed on each Windows server by
default in 2000.
Make sure there is a business need for all
servers that are currently running IIS.
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
22
RAS Settings
Disable Service if not used
Setup separate device for RAS
Review settings to ensure tightest control
possible
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
23
Terminal Server
Identify which servers are running Terminal
Server and make sure there is a business need
for this
Terminal Server allows you to manage a
server form any terminal as though you were
there
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
24
Anti-virus Software
Identify which servers do not have anti-virus
software running on it and notify management.
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
25
Audit Logs
Review audit log settings for a sample of
servers.
Document and review procedures for the review
of audit logs.
Determine if logs are reviewed in a timely
manner.
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
26
Physical Security
Review the controls for physical security of all
network devices (Servers, Workstations,
Switches, Routers, etc.)
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
27
Vulnerability Scans
Select a sample of servers that support critical
applications and run a vulnerability scan on
these servers.
Obtain commitment from Management to
address vulnerabilities identified.
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
28
Useful Tools
GPMC (Microsoft)
Local Security Settings (Microsoft)
GPResult (Microsoft)
Active Directory Users and Computers (Microsoft)
Hyena (System Tools Software)
Enterprise Security Manager (Symantec)
Insight Manager (Consul)
MOM (Microsoft)
Internet & Systems Scanner (Internet Security Systems)
Nexus (Open Source)
NMap (Open Source)
DumpSec, DumpReg & DumpEvents (SomarSoft)
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
29
Questions?
Comments!
7/20/2015
Windows 2000/2003 Server Auditing - Rob Hoffpauir ©2005
30