UltimateWindowsSecurity.

com

File Integrity Monitoring with the Windows Security Log

Made possible by:

2011 Monterey Technology Group Inc.

Brought to you by

http://www.logrhythm.com

Speaker
David Pack, Manager, Knowledge Engineering
2011 Monterey Technology Group Inc.

2011 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Preview of Key Points

File Integrity Monitoring 1. Native auditing
Audit policy Events Limitations

2. Periodic comparison 3. Real time monitoring Demonstration of LogRhythms File Integrity Monitoring

2011 Monterey Technology Group Inc.

File Integrity Monitoring

Native auditing Audit policy Events Limitations

2011 Monterey Technology Group Inc.

2011 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Native Auditing
Audit policy 2 levels
System
Win 2003: Object Access - Success Win 2008: File System - Success

File

Native Auditing
Who to audit? Everyone What operations? Delete Write Append Ownership Change permissions Apply onto Files only

2011 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Native Auditing
Which files? Start with EXEs and DLLs

Native Auditing
Events Win2003
567 - Object Access Attempt

Win2008
4663 - An attempt was made to access an object

2011 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Native Auditing
How to centrally manage audit policy?

Native Auditing
How to filter out false positives from system update agents? User selective auditing
auditpol /set /subcategory:file system" /user:updateagent /exclude /success:enable http://technet.microsoft.com/enus/library/cc781822(WS.10).aspx

2011 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Native Auditing
Limitations Wont work for some application files such as MS Office documents Can be voluminous if misconfigured Work involved in configuring and interpreting

Other considerations
DLLs and EXEs are only part of the picture
PCI 11.5 Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly. Note: For file-integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is, the merchant or service provider). Windows configuration isnt stored in files and audit policy catches most security relevant changes Applications another matter
Get to know your applications

2011 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Other methods
Periodic comparison Periodically read each file and compute a hash Repeat, comparing current hash to stored hash Report differences Advantages
Simple to implement

Disadvantages
Omits whodunnit Latency Reverse changes between observations? Periodic peaks in resource usage

Other methods
Real-time monitoring Monitoring application hooks into file system and is notified of changes in real-time Advantages
Can provide more informative/easy to read messages than native auditing No latency

Disadvantages
More intrusive Fear of stability issues

2011 Monterey Technology Group Inc.

UltimateWindowsSecurity.com

Bottom Line
File integrity monitoring is required Compensating controls feasible for some situations Key challenges: Knowing which files, especially in applications, to monitor Dealing with false positives 3 methods available Real-time monitoring provides most functionality

2011 Monterey Technology Group Inc.

Brought to you by

http://www.logrhythm.com

Speaker
David Pack, Manager, Knowledge Engineering

2011 Monterey Technology Group Inc.