A presentation from EnergizeIT 2007 event about why and how to use the windows event log of monitoring, auditing and automatic task execution.
Citation preview
1. Understanding the Event Log for a more secured environment
Dave Millier Chuck Ben-Tzur
2. Overview Introducing the Event Log Why Monitor Logs Enabling
Event Logging Real Time Monitoring Example: Security Log Tampering
Auditing and Analysis Archiving Events Example: File Modification
Investigation Event Log Limitation Vista Event Log Example:
Creating Log File Using Event Triggered Tasks Resources and
Questions
3. IntroducingEvent Log Centralized log service to allow
applications and the operating system to report events that have
taken place. Introduced with Windows NT 4 (1993). Main Windows Logs
Application (example: Database message) System (example: driver
failure) Security (example: Logon attempt, file access) A Windows
2003 domain controller will also include Directory Service
(example: Active Directory connection problem) File Replication
(example: domain controller information updates) DNS Vista has
introduced a lot of changes
4. Why Should We Monitor Logs We dont NEED to We HAVE to
Organizations are obligated by regulations to gather and audit
systems activity logs. HIPPA (Health Industry) Regulatory review of
system activity to ensure that a user information remains private
but accessible Identify, respond and document security incidents
GLBA (Financial) Dual control procedures Segregation of duties SOX
(Financial) Record Retention and availability Accountability
5. Why Should We Monitor Logs (cont.) To comply with the
regulations organizations require the following forms of log
monitoring Real-time monitoring Identify attack attempts in
progress and if a security breach has occurred. Audit and analysis
Periodic reports and analysis for regulation compliance (due
diligence). Archiving Again regulations compliance (log retention)
Forensic investigation of an incident The event log should also
enable the organization to implement internal security
policies.
6. Enabling Event Logging Each event category is controlled by
audit policies: Account logon events (for domain accounts) Account
management (group and account events) Directory service access
Logon events (local machine events) Object access (user accessing
an object such as file, folder, printer) Policy change (changes in
the audit, user rights and trust policies) Privilege use (user
exercising one or more of his rights) Process tracking (detailed
tracking information) System events (events that affect the system
security or log) Each policy can be set to audit success events
only, failure events only, success/failure events, or no auditing
at all.
7. Audit Policies (Member Server)
8. Real-Time Monitoring Successful events that grant the user
high level privileges (either by spoofing identity or elevation of
privileges) Events to monitor Successful high profile user account
/ group management events #636 Group member added or removed
Successful logon events of high profile user accounts #680 Logon
attempt Successful logon events to a domain controller Operations
on specific high profile resources (files, folder) #560 (Object
Access), #564 (Object Deleted) Successful policy change events #612
Audit Policy Change (logs no more) All system events #517 security
log was cleared
10. Example: Event #517 (Clear Security Log) Security Log A
User will try to erase the logs
11. Example: Event #517 (Clear Security Log) Security Log A
User will try to erase the logs (and not event save it)
12. Example: Event #517 (Clear Security Log) Security Log A
User will try to erase the logs A New Event is Created
13. Example: Event #517 (Clear Security Log) Security Log A
User will try to erase the logs A New Event is Created The Event
Contains the User Name
14. Real-Time Monitoring (cont.) Tracking and analysing event
failure patterns may indicate a range of malicious attack attempts
Failed logon activity (e.g. brute force attack) #675 Pre Auth,
failed with Kerberos code 24 (Bad password) #539 - logon failure
due to account lockout (if systematic may be an indication of DoS)
Failed account management activity (e.g. password reset events) All
failed system events #517 Audit log cleared Note: Most of the
auditing policies, by default, are set to log successful events
only. Local policies may be set to no auditing at all.
15. Real-Time Monitoring (cont.) Possible issues Flood of
events (domain controller and member server event duplication,
detailed tracking events) Solution: Consolidate log information for
better analysis Unmonitored systems (e.g. unaudited events on a
file server) Solution: Threat modeling, identifying assets in
organization Unmonitored events (detailed user and process
activity) Solution: Organization security program and policies
False positives due to configuration problems (e.g. expired service
password) Solution: Knowledge of the network, components and assets
(Human Factor)
16. Auditing and Analysis Most regulations require a periodic
review of important events (not critical or show stoppers) for two
reasons: A second chance to reveal malicious activity originally
undetected (and unaccountable for). Audit the ongoing activity to
verify no major changes have taken place. The data is usually
reviewed in the form of reports (detailed and summarized) Example
of Events to Monitor (A short list) #529 to #535 and #539 Logon
failure (different reasons) #629 User account Disabled #644 User
account Locked Out
17. Auditing and Analysis (cont.) Possible issues Finding a
critical event that was not detected by the real-time monitoring
processes Solution: Investigate the incident to eliminate or
mitigate any results of malicious activity. Duplicated events
(Domain controller and Local Server) Solution: Correlate and
consolidate events using external system Lack of security policies
to help and identify events to be audited (e.g. Messenger)
Solution: Define security policies to determine which event types
need to be audited on a regular basis. Report requirements are
unclear and affect the log detail level Solution: Define auditing
processes to determine what type of logs and details are required
(TIP: when in doubt, use graphs)
18. Archiving Events Event Archiving is done for two main
reasons: Log retention compliance (e.g. SOX) Forensic investigation
of a security incident (chain of evidence) In general, all system
events should be logged. However, by default, not all audit
policies are set to generate logs. In particular, detailed tracking
of high profile objects (such as files, folders, printers, etc.) is
turned off by default. A common misconception is that regular
object access events provide this information.
19. Example: Detailed Event Tracking Detailed Event tracking
can include the following events: #528 Successful Login (The user
authenticate to the system) #592 A new process has been created
(application is launched) #560 Object Open (a file is requested)
#567 Object Access (the file is modified and saved) #564 Object
Deleted #562 Handle Closed (the file has been closed) #593 A
Process Has Exited (the application was terminated)
20. Example: Detailed Event Tracking Enabling Audit Policies
Object Access Logon (Local and Domain) Privilege Use Process
Tracking
21. Example: Detailed Event Tracking A Very Important Folder
(e.g. sensitive document on a file server)
22. Example: Detailed Event Tracking A Very Important Folder
(e.g. sensitive document on a file server) The folder contains
files we wish to monitor (compliance, sensitive information,
etc.)
23. Example: Detailed Event Tracking Detailed Tracking is
configured on the resource itself
24. Example: Detailed Event Tracking Detailed Tracking is
configured on the resource itself Security > Advanced
25. Example: Detailed Event Tracking Detailed Tracking is
configured on the resource itself Security > Advanced >
Auditing Tab
26. Example: Detailed Event Tracking Detailed Tracking is
configured on the resource itself Security > Advanced >
Auditing Tab > Add
27. Example: Detailed Event Tracking Detailed Tracking is
configured on the resource itself Security > Advanced >
Auditing Tab > Add
28. Example: Detailed Event Tracking Detailed Tracking is
configured on the resource itself Security > Advanced >
Auditing Tab > Add Select the Account or Group to be
audited
29. Example: Detailed Event Tracking Detailed Tracking is
configured on the resource itself Security > Advanced >
Auditing Tab > Add Select the Account or Group to be audited
Select the events to audit (Read, Write, Delete)
30. Example: Detailed Event Tracking Detailed Tracking is
configured on the resource itself Security > Advanced >
Auditing Tab > Add Select the Account or Group to be audited
Select the events to audit (Read, Write, Delete) Each user/group
will require additional settings
33. Example: Detailed Event Tracking Timestamp: 13-06-07
04:27:40 Last Modify: 13-06-07 05:27:39 Filter who was logged in
during that time
34. Example: Detailed Event Tracking Timestamp: 13-06-07
04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID:
0x43F744D
35. Example: Detailed Event Tracking Timestamp: 13-06-07
04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
Excel Process ID: 2916
36. Example: Detailed Event Tracking Timestamp: 13-06-07
04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
Excel Process ID: 2916 File Open Handle: 644
37. Example: Detailed Event Tracking Timestamp: 13-06-07
04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
Excel Process ID: 2916 File Open Handle: 644
38. Example: Detailed Event Tracking Timestamp: 13-06-07
04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at
05:27:39
39. Example: Detailed Event Tracking Timestamp: 13-06-07
04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at
05:27:39 File (644) closed
40. Example: Detailed Event Tracking Timestamp: 13-06-07
04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at
05:27:39 File (644) closed Excel Process (2916) Terminated
41. Example: Detailed Event Tracking Timestamp: 13-06-07
04:27:40 Last Modify: 13-06-07 05:27:39 User Logon ID: 0x43F744D
Excel Process ID: 2916 File Open Handle: 644 File (644) Modified at
05:27:39 File (644) closed Excel Process (2916) Terminated Matching
Modification Times
42. Archiving Events (cont.) Possible issues Volume of events
(can reach several million events a day from a busy server)
Solution: Transfer logs to long-term storage (compressed, digitally
signed, etc.) Lack of security policies to help and identify events
and processes to be audited (e.g. Messenger) Solution: Define
security policies to determine which processes and their relevant
events need to be logged on a regular basis. The event logs are
just a portion of the chain of evidence Solution: Define auditing
processes to ensure that all the required logs are being gathered
and associated (e.g. a unique ID or a time stamp). For example:
associate firewall logs through the Windows event logs and to the
database logs.
43. Know Your Event Log Limits Size matters (and its never
enough) Solution: For long term logging, use an external storage
system.
44. Know Your Event Log Limits (cont.) Log Analysis and
correlation (especially when using automatic systems like SEM and
SIM) often result in a large number of false positives. Solution:
Knowledge of the network and assets to refine alerts, ongoing
tuning Logs are a detective measure and are not an IPS (Intrusion
prevention system) on their own Solution: Vista has a partial
solution. For complicated responses, leverage external solution to
gather and analyze logs Not all events are logged on the domain
controller. These events require a log gathering process Solution:
Vista has presented a solution. Otherwise, use external log
gathering system.
45. Know Your Event Log Limits (cont.) Security event logs
monitor only the authentication and authorization mechanisms of the
operating system. Solution: Most applications write (or should)
logs to the Windows event log. These logs can be used to enhance
the monitoring capabilities. Custom application logs neglect to
provide information regarding the log details or the severity or of
the event. Solution: Educate your developers, develop an API, buy
something better
46. Vista Event Log More More Event Categories Sources
47. Vista Event Log Redesigned
48. Vista Event Log Redesigned XML Based
49. Vista Event Log Redesigned XML Based Simple to
Understand
50. Vista Event Log Redesigned XML Based Simple to
Understand.
51. Vista Event Log Redesigned XML Based Simple to
Understand..??
52. Vista Event Log Redesigned XML Based Simple to
Understand.
53. Event Log Tasks (Vista) Select an Event
54. Event Log Tasks (Vista) Select an Event to open the
Wizard
55. Event Log Tasks (Vista) Select an Event to open the Wizard
The type of Event is pre-selected (basic)
56. Event Log Tasks (Vista) Select an Event to open the Wizard
The type of Event is pre-selected (basic) Select Action
57. Event Log Tasks (Vista) Select an Event to open the Wizard
The type of Event is pre-selected (basic) Select Action e-mail
settings
58. Event Log Tasks (Vista) Select an Event to open the Wizard
The type of Event is pre-selected (basic) Select Action
59. Event Log Tasks (Vista) Select an Event to open the Wizard
The type of Event is pre-selected (basic) Select Action Launch a
process
60. Event Log Tasks (Vista) Select an Event to open the Wizard
The type of Event is pre-selected (basic) Select Action Finalize
Settings
61. Event Log Tasks (Vista) Select an Event to open the Wizard
The type of Event is pre-selected (basic) Select Action Finalize
Settings A New Task is Born
62. Event Log Tasks (Vista) Select an Event to open the Wizard
The type of Event is pre-selected (basic) Select Action Finalize
Settings Task Created Task is Visible in the Task Scheduler
63. Event Log Tasks (Vista) Select an Event to open the Wizard
The type of Event is pre-selected (basic) Select Action Finalize
Settings Task Created Task is Visible in the Task Scheduler (new
Tasks Category)
65. Event Log Tasks (Vista) Problem: Basic Task Event Details
are pre- defined. The next example will: Trigger on successful
logon events of a specific group Create a file with a list of users
that logged on Highlight username with Admin string
66. Event Log Tasks (Vista) Create a New Task
67. Event Log Tasks (Vista) Create a New Task Select the User
Group
68. Event Log Tasks (Vista) Create a New Task Select the User
Group Triggers Tab > New
69. Event Log Tasks (Vista) Create a New Task Select the User
Group Trigger Task On an Event
70. Event Log Tasks (Vista) Create a New Task Select the User
Group Trigger Task On an Event Switch from Basic to Custom
71. Event Log Tasks (Vista) Create a New Task Select the User
Group Trigger Task On an Event Switch from Basic to Custom and
Create New Filter
72. Event Log Tasks (Vista) Create a New Task Select the User
Group Trigger Task On an Event Switch from Basic to Custom and
Create New Filter Select Event Logs
73. Event Log Tasks (Vista) Create a New Task Select the User
Group Trigger Task On an Event Switch from Basic to Custom and
Create New Filter Select Event Logs (Multiple Logs!)
74. Event Log Tasks (Vista) Create a New Task Select the User
Group Trigger Task On an Event Switch from Basic to Custom and
Create New Filter Select Event Logs (Multiple Logs!) Select Events
ID (Possible Multiple IDs) and Keywords
75. Event Log Tasks (Vista) Create a New Task Select the User
Group Trigger Task On an Event Switch from Basic to Custom and
Create New Filter Select Event Logs (Multiple Logs!) Select Events
ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be
modified)
76. Event Log Tasks (Vista) Create a New Task Select the User
Group Trigger Task On an Event Switch from Basic to Custom and
Create New Filter Select Event Logs (Multiple Logs!) Select Events
ID (Possible Multiple IDs) The trigger is saved as XMLQuery (Can be
modified) The Task Action will be Select a Program
77. Event Log Tasks (Vista) This VB script search for Admin
string in the logged user name and add a notes beside it.
78. Event Log Tasks (Vista) The output of three different users
logging to the machine
79. Event Log @ Vista New Event Viewer (interface) Over 50 new
Event categories Over 2400 policies (over 1000 in W2K3) XML based
Events are still written locally Critical Events can be forwarded
Expanded to serve as single location for all events (using Windows
Remote Manager) Events can launch system tasks
80. Resources TechNet Auditing Overview
(http://technet2.microsoft.com/windowsserver/en/library/768463f6-02b9-4e5e-af55-
29c089ade6381033.mspx?mfr=true) EventID.net
(http://www.eventid.net/search.asp) Randy Franklin Smiths Windows
Security Log Encyclopedia
(http://www.ultimatewindowssecurity.com/encyclopedia.html)
81. Company: Private Canadian company Toronto based Providing
Security consulting and networking solutions for over 10 years
Business model focused on delivering timely security information to
all areas of an organization (CEO down to administrator) Dynamic,
agile response to client needs Experience with customers in
multiple verticals Experienced management team Consistent Approach:
Provide snapshot security information for senior executives Provide
detailed security to-do lists for follow-up by onsite personnel
Proven & Scalable Solutions: Phased Delivery method ensures
client satisfaction Successful deployments with large organizations
Clients need fewer in-house qualified security professionals
Minimize manual, mundane daily client tasks Leverages both
Proprietary and Industry Best-of-Breed Technologies Extensible
Framework: Adheres to ISO 17799 Framework, Security & Industry
Best Practices The Sentry Dashboard is an enabler for any security
subsystem Can be adapted to present information from non-security
sources (network availability and trending, HR reporting, etc.)
Engages all areas of an organization, from Senior Executives and
security officers, to hands-on systems and network
administrators