ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r...
Transcript of ZT IK 3, Siemens CERT SIEMENS - FIRST · ZT IK 3, Siemens CERT S i e m e n s C o m p u t e r...
© Siemens AG 2000Siemens CERT Team
/ 1
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team
Sven Lehmberg
© Siemens AG 2000Siemens CERT Team
/ 2
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamAgenda
� Event Viewer and User Manager
� Analyzing Audit Logs
� Tools
© Siemens AG 2000Siemens CERT Team
/ 3
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamAuditing Step by Step
Two important programs in NT 4.0
� Event Viewer
and
� User ManagerUser Manager for Domains
© Siemens AG 2000Siemens CERT Team
/ 4
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team
© Siemens AG 2000Siemens CERT Team
/ 5
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Viewer
© Siemens AG 2000Siemens CERT Team
/ 6
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team
© Siemens AG 2000Siemens CERT Team
/ 7
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamHOWTO Enable Auditing ?
© Siemens AG 2000Siemens CERT Team
/ 8
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamWhat to Audit ?
© Siemens AG 2000Siemens CERT Team
/ 9
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLogon and Logoff
© Siemens AG 2000Siemens CERT Team
/ 10
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamInteractive Logon
© Siemens AG 2000Siemens CERT Team
/ 11
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLogon Type and Processes
Logon Type:2 : Interactive3 : Network4 : Batch5 : Service6 : Proxy7 : Unlock Workstation
Authentication Package:MICROSOFT_AUTHENTIC
ATION_PACKAGE_V1_0Logon Process:� KSecDD� User32 or
WinLogon\MSGina� SCMgr� LAN Manager Workstation
Service� advapi� MS.RADIUS
© Siemens AG 2000Siemens CERT Team
/ 12
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLogon over the Network
© Siemens AG 2000Siemens CERT Team
/ 13
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail – No Logon Right over Network
© Siemens AG 2000Siemens CERT Team
/ 14
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFile and Object Access
© Siemens AG 2000Siemens CERT Team
/ 15
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFile And Registry Auditing
© Siemens AG 2000Siemens CERT Team
/ 16
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail – Object Access: File
© Siemens AG 2000Siemens CERT Team
/ 17
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFile System Access Types
Full control Modify
Read&Execute, List folders Read Write
Traverse folder / Execute file x x xList folder / Read data x x x xRead attributes x x x xRead extended attributes x x x xCreate files / Write data x x xCreate folders / Append data x x xWrite attributes x x xWrite extended attributes x x xDelete subfolders and files xDelete x xRead permissions (READ_CONTROL) x x x x xChange permissions (WRITE_DAC) xTake ownership (WRITE_OWNER) xSynchronize x x x x x
© Siemens AG 2000Siemens CERT Team
/ 18
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamRegistry Access Types
� Query Value� Set Value� Create Subkey� Enumerate Subkeys� Notify
� Create Link� Delete� Write DAC� Read Control
© Siemens AG 2000Siemens CERT Team
/ 19
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamUse of User Rights
© Siemens AG 2000Siemens CERT Team
/ 20
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team27 User Rights
Take ownership of files or other objects – SeTakeOwnershipPriv.
Log on as a Service –SeServiceSID
Create permanent shared objects –SeCreate PermanentPrivilege
Shut down the system –SeShutdownPriv.
Log on as a batch job –SeBatchSID
Create a token object –SeCreateTokenPrivilege
Restore files and directories –SeRestorePriv.
Lock pages in memory –SeLockMemoryPriv.
Create a pagefile –SeCreatePagefilePrivilege
Replace a process level token –SeAssignPrimaryTokenPriv.
Load and unload device drivers –SeLoadDriverPrivilege
Change the system time –SeSystemTimePrivilege
Profile system performance –SeSystemProfilePriv.
Increase scheduling priority –SeIncreaseBasePriorityPriv.
Bypass traverse checking –SeChangeNotifyPrivilege
Profile single process –SeProfileSingleProcessPriv.
Increase quotas –SeIncreaseQuotaPrivilege
Backup files and directories –SeBackupPrivilege
Modify firmware environment values –SeSystemEnvironmentPriv.
Generate security audits –SeAuditPrivilege
Add workstation to domain –SeMachineAccountPrivilege
Manage auditing and security -SeSecurityPrivilege
Force shutdown from a remote system –SeRemoteShutdownPrivilege
Act as part of the operating system -SeTcbPrivilege
Log on locallyDebug programs –SeDebugPrivilege
Access this Computer from Network
© Siemens AG 2000Siemens CERT Team
/ 21
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail – Use of User Rights
© Siemens AG 2000Siemens CERT Team
/ 22
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamUser and Group Management
© Siemens AG 2000Siemens CERT Team
/ 23
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail – User and Group Management
© Siemens AG 2000Siemens CERT Team
/ 24
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamSecurity Policy Changes
© Siemens AG 2000Siemens CERT Team
/ 25
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail - Policy Change
© Siemens AG 2000Siemens CERT Team
/ 26
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamRestart, Shutdown, and System
© Siemens AG 2000Siemens CERT Team
/ 27
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Detail: Restart, Shutdown, and System
© Siemens AG 2000Siemens CERT Team
/ 28
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamStarting NT – Authentication and Trusted Logon
© Siemens AG 2000Siemens CERT Team
/ 29
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess Tracking
© Siemens AG 2000Siemens CERT Team
/ 30
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess Ids II
© Siemens AG 2000Siemens CERT Team
/ 31
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess IDs II
© Siemens AG 2000Siemens CERT Team
/ 32
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess IDs III – Windows 2000
© Siemens AG 2000Siemens CERT Team
/ 33
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamProcess IDs IV – Windows 2000
© Siemens AG 2000Siemens CERT Team
/ 34
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamOne Click - Many Security Events
Audit Logs for a new user account:
� Event 632: Global Group Member Added
� Event 624: User Account Created
� Event 642: User Account Changed
� Event 636: Local Group Member Added
© Siemens AG 2000Siemens CERT Team
/ 35
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamAdditional Auditing settings
� Auditing Backup and Restore ActivitiesKey: HKLM\System\CCS\Control\Lsa\Data: FullPrivilegeAuditingType: REG_BINARYValue: 1
� Base Object AuditingKey: HKLM\System\CCS\Control\Lsa\Data: AuditBaseObjectsType: REG_DWORDValue: 1
© Siemens AG 2000Siemens CERT Team
/ 36
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response Team“Account Lockout Event” stored on PDC
� Windows NT 4.0 SP4+
When a user enters too many incorrect passwords in an attempt to log on to a domain, the account is locked out and an event is written to the workstations security logs (if auditing is enabled here). With SP4 this event is also written to the PDC security log.
© Siemens AG 2000Siemens CERT Team
/ 37
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamAudit Policy
© Siemens AG 2000Siemens CERT Team
/ 38
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamEvent Log Settings
© Siemens AG 2000Siemens CERT Team
/ 39
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLesson learnt
� You can get a lot of information from the logs� Not all infomation is relevant� Some information is wrong� You can‘t get too much information about logging from MS
© Siemens AG 2000Siemens CERT Team
/ 40
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFilter Suspicious Events from all Events
Event IDs� 512 - Windows NT is starting up� 513 - Windows NT is shutting down � 517 - The audit log was cleared� 528 - Successful logon� 529 - Unknown user name or bad
password� 530 – Account logon time restriction
violation� 531 - Account currently disabled� 532 - The specified user account
has expired� 533 - User not allowed to log on at
this computer� 534 – User has not been granted
the requested logon type
� 535 - The specified account‘spassword has expired
� 536 – The NetLogon component isnot active
� 537 – An unexpected erroroccured during logon
� 538 – User Log off� 539 - Account locked out� 576 - Special privileges assigned
to new logon� 608 - User Right Assigned� 609 - User Right Removed� 612 - Audit Policy Change� 624 - User Account Created� 643 - Domain Policy Changed
© Siemens AG 2000Siemens CERT Team
/ 41
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamSuspicious Auditing Events
� Failed LogonEvent ID – 529
Administrator and„Well Known Accounts“
© Siemens AG 2000Siemens CERT Team
/ 42
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFilter Suspicious Events from all Events
© Siemens AG 2000Siemens CERT Team
/ 43
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamDeficiencies of NT Logging
� Portscans can not be detected� BOF – Back Officer Friendly (NFR)
http://www.nfr.com� Nuke Nabber 2.9a (Dynamsol)
http://www.dynamsol.com/puppet/� NetMonitor v0.90 (LeechSoftware)
http://www.leechsoftware.com� BlackICE
http://advide.networkice.com
� Workstation logs are kept locally� See next slide
© Siemens AG 2000Siemens CERT Team
/ 44
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLogging Host
� EvntSLog 2.0� NTSlog 1.02, 2.0� NTOLog
� Siemens CERT
© Siemens AG 2000Siemens CERT Team
/ 45
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamFurther Tools
� Lservers (NT Objectives, Inc.) � NPList (NT Objectives, Inc.)� WDumpEvt 1.2� ELDump 0.12� ELSaveClr� NTLast� Tripwire 2.1 for Windows NT
© Siemens AG 2000Siemens CERT Team
/ 46
SIEMENS
ZT IK 3, Siemens CERT
Siemens
Computer Emergency
Response TeamLiterature etc.
� MS Knowledgebase:Q174073, Auditing User AuthenticationQ174074, Security Event DescriptionsQ163905, Auditing User Right Assignment ChangesQ101366, Definition and List of Windows NT Advanced User Rightset al.found at http://support.microsoft.com/support/search/c.asp
� Books etc.:Microsoft – Windows NT 4.0 Security, Audit and Control
Microsoft Press – Microsoft Technical ReferenceWindows NT Windows NT Server Resource Kit 4.0Visual C++: winnt.h