• Auditing Base Objects
  • Auditing of Privileges
  • Securing Windows nt installation




    Download 91 Kb.
    bet8/10
    Sana22.03.2020
    Hajmi91 Kb.
    #8500
    1   2   3   4   5   6   7   8   9   10

    Enabling System Auditing





    Completed

    Not implemented

    Not applicable

    STATUS









    Enabling system auditing can inform you of actions that pose security risks and possibly detect security breaches.

    To activate security event logging, follow these steps:

    1. Log on as the administrator of the local workstation.

    2. Click the Start button, point to Programs, point to Administrative Tools, and then click User Manager.

    3. On the Policies menu, click Audit.

    4. Click the Audit These Events option.

    5. Enable the options you want to use. The following options are available:

    • Log on/Log off: Logs both local and remote resource logins.

    • File and Object Access: File, directory, and printer access.

    • Note: Files and folders must reside on an NTFS partition for security logging to be enabled. Once the auditing of file and object access has been enabled, use Windows NT Explorer to select auditing for individual files and folders.

    • User and Group Management: Any user accounts or groups created, changed, or deleted. Any user accounts that are renamed, disabled, or enabled. Any passwords set or changed.

    • Security Policy Changes: Any changes to user rights or audit policies.

    • Restart, Shutdown, And System: Logs shutdowns and restarts for the local workstation.

    • Process Tracking: Tracks program activation, handle duplication, indirect object access, and process exit.

    6. Click the Success check box to enable logging for successful operations, and the Failure check box to enable logging for unsuccessful operations.



    1. Click OK.

    Note that Auditing is a “detection” capability rather than “prevention” capability. It will help you discover security breaches after they occur and therefore should always be consider in addition to various preventive measures.


    Auditing Base Objects





    Completed

    Not implemented

    Not applicable

    STATUS









    To enable auditing on base system objects, add the following key value to the registry key




    Hive:

    HKEY_LOCAL_MACHINE\SYSTEM

    Key:

    System\CurrentControlSet\Control\Lsa

    Name:

    AuditBaseObjects

    Type:

    REG_DWORD

    Value:

    1

    Note that simply setting this key does not start generating audits. The administrator will need to turn auditing on for the “Object Access” category using User Manager. This registry key setting tells Local Security Authority that base objects should be created with a default system audit control list.


    Auditing of Privileges





    Completed

    Not implemented

    Not applicable

    STATUS









    Certain privileges in the system are not audited by default even when auditing on privilege use is turned on. This is done to control the growth of audit logs. The privileges are:

    1. Bypass traverse checking (given to everyone).

    2. Debug programs (given only to administrators)

    3. Create a token object (given to no one)

    4. Replace process level token (given to no one)

    5. Generate Security Audits (given to no one)

    6. Backup files and directories (given to administrators and backup operators)

    7. Restore files and directories (given to administrators and backup operators)
    1 is granted to everyone so is meaningless from auditing perspective. 2 is not used in a working system and can be removed from administrators group. 3, 4 and 5 are not granted to any user or group and are highly sensitive privileges and should not be granted to anyone. However 6 and 7 are used during normal system operations and are expected to be used. To enable auditing of these privileges, add the following key value to the registry key


    Hive:

    HKEY_LOCAL_MACHINE\SYSTEM

    Key:

    System\CurrentControlSet\Control\Lsa

    Name:

    FullPrivilegeAuditing

    Type:

    REG_BINARY

    Value:

    1

    Note that these privileges are not audited by default because backup and restore is a frequent operation and this privilege is checked for every file and directory backed or restored, which can lead to thousands of audits filling up the audit log in no time. Carefully consider turning on auditing on these privilege uses.



    Download 91 Kb.
    1   2   3   4   5   6   7   8   9   10




    Download 91 Kb.