 Mike Cohen, both work for a, well both auditors and we work for a large bank in California. Basically what we're going to talk about today is Windows NT and Novel logging from an auditor's point of view. This is pretty simple presentation showing how to review the logs. Just a real quick administrative thing. After us is decrypt talking about web application security and after that it's not in here but have our flock is supposed to be talking also after decrypt. So just to make one thing clear feel free to ask questions during this try and keep it somewhat informal and we'll do our best to answer the questions. This is the outline of the presentation. First we'll talk about logging purposes from a generic point of view. Then we'll hit Windows NT specific, hit native tools. We'll look at audit log event analysis and then third party tools and we'll do the same for Novel 411 and then we'll look for what events to look for specifically for intrusion detection. Now I know a lot of you are going, gee, why are you talking about this whole technology? Part of it is it's what we have. Another thing is for a lot of you out there these are already running your businesses and sometimes it's hard to rip this stuff out or you may inherit some of this stuff and you may want to try and make sure it's a little bit secure or at least understand what's going on in your network. Okay this slide outlines some auditing concepts again we're auditors and we're taking that point of view. Pretty scary. Audits so these are the criteria an auditor would look for in a in a auditing tool. Audit has to be independent of operations. Yeah and just to be clear here I know there's a lot of movement or a lot of people say well we do security audits when you do security consulting. From this presentation when we talk about audit we talk about traditional audit that's you know governed by the rules of the American Institute of Certified Public Accountants, Institute of Internal Auditors, Information Systems, Audit and Control Association. No CISA not CPAs. The next topic is separation of duties. The auditor has to be independent again from operations. The auditor comes comes at systems from a different point of view. They have their own agenda. From from an operations point of view you want to keep the the systems running. We want it to be auditable. Another thing for auditors very important is read-only access. The auditor can't be accused of altering the data to have findings. Authorization. A good auditing tool will give different auditors different abilities within the auditing tool. Accounting it's good to know who did what in the auditing tool and of course detecting audit log tamper. Native tools the first one from Novel is called AuditCon. It comes with Novel and that that's an excellent utility if it fills all these criteria including access control. The administrator of the Novel box cannot use the AuditCon tool. He can actually be locked out. An anti-audit it's really just the basics it's not really an auditing tool from from an auditor's perspective. Okay from a generic point of view auditing tracks the following type of information. User acts user actions resource usage file system security access control and login log off activity. Okay on this slide what we're going to do is we're going to look at audit goals and we're going to cross-ference audit goals to what you want to look at. So if you want to justify resources I think somebody said louder justify resources you want to look at rights to an app you want to look at right events to an application or the use of print queues. Diagnose problems and performance problems you want to look at file opens related to application that is slow. I'm just going to hit the first two on each slide unless there's any any questions. Next what we're going to look at is try to cross-reference the threats to what you want to look at in the audit log. The first type of threat would be intrusion type break-ins using random passwords crowbar etc. Enable failure auditing for logon events that's obvious. Break-in using stolen passwords you want to enable success auditing success auditing and this failure auditing both are very useful a lot of people think just failure auditing is important. So getting back to break-in using stolen passwords enable success auditing for login and log off events again this doesn't mean that the person using the password you know is the person who owns the password you can never assume that look at unusual activity like people logging on in the middle of the night etc. Now this kind of brings up a good point though is that this is just this is information from say one or one host or however many hosts you have auditing on this is a key thing to use when you're correlating information whether if you've got an extra system to do the correlation automatically for you or whether you have to look at the logs after the fact and try and correlate between a couple different servers and a few of you out there are probably thinking that at least with NT that you know auditing for a lot of this stuff does take up resources and that's kind of where we're saying we're audit in a sense you know operations it's your job to provide us this information processing powers cheap get more so just a just a mindset difference it's a definite mindset difference okay what's audit again looking at threats improper access to sensitive files you can enable success of failure auditing for at the file level percent of the sensitive files now we're going to discuss we're going to focus in on Windows NT discuss the native tools and some some detects etc this is what it looks like and this is an auditor's dream here everything turned on to audit so this is one something you want to adjust for your environment obviously there's nothing to audit if there's no audit trail so that's why we really depends upon the environment and what the server is doing I mean a PDC and a BDC will be different than a server that's doing file and print serving and you know something that's in HR is different than something that say you know on a manufacturing floor or an R&D lab so it really depends upon what the server's purpose is and who's accessing it for what off everything's off by default all auditing is turned off by default when you start up when you first install install Windows NT this slide just tell elaborates on the previous slide telling you what each of the different auditing options does log on log off of course and there was success and failure going back to the last slide this is process tracking is important to auditors but it's it's definite resource hog you definitely want to turn that on if it's if it's if you're trying to prove something etc we'd like it on all the time but okay this is what NT file auditing looks like it's a different screen than this the other other types of things that you audit this just says the types of things that are audited when you turn on file systems auditing for example on the on the directory level you can see displaying type names of files in the directory displaying directory attributes this all will show up in the logs this is kind of a laundry list of different things you could audit for and if everything was turned on you would you would see these type of events but the best use for this really is to say okay what is it that I want to see what is what events do I want to have an audit trail for and then based off of this you can work backwards and determine which events that you actually click in the dialogue box to audit for this is how you look at the logs in Windows NT something called event viewer and how do you make sense of it it does the native tool does have a filter option but it's primitive and it also should be noted that we'll show that where the logs are held later but on it Windows NT by default because there isn't a separate auditor from the administrator really something that does have administrative authority could can tamper with the logs so you do have to take all that it's not an auditor's dream now this is a sample of the event IDs in Windows NT and later we'll tell you where to get where to get these event IDs my favorite of course 529 on you unknown username or bad password so let's look at look at a scenario this is a scenario when somebody comes along and tries to open notepad this is with all auditing turned on so when somebody opens notepad exe these are the and reads a file a text file these are the events that will show up as you can see the process open the process opens it opens a text file and then again the process is exited when you hold notepad okay back in the event viewer tool if you would double click on one of those events you're going to see more information on the on the event and this is a sample of what you'd see like for an event 560 okay now one thing is that this pre the previous slide here where you've got the different events if you've got a busy server chances are these won't be directly in one order after another you'd have to hunt and find them and so that's where scenes the detail and open up and looking at it because you can look at the the handle ID numbers and then you can match up which process it was actually that that did okay we're touching on third-party tools now our our favorite tool is is bind you really because it gives us independence of operations we don't have to be be an administrator on the box to you to look at the logs and it has a good query capability okay this is a simple trace I program bind you to tell me event look for event 539 bad username or password and as you can see from the time of date there's it's systematic and you can program bind you to to look for all of these attributes this is a sample event correlation signature that you're gonna have to look at different boxes again with bind you you can audit the entire enterprise from one workstation with the native tools you really have to go to each especially the NT you have to each workstations very time-consuming excuse me each server and that's what this shows is a login success event 539 the same person logging in from different machines at the same at similar times I mean he can't be in different geo geographical locations at the same time so it's you know definitely puts up a red flag this is looks into the event description of a bad unknown username or bad password but I wanted to type out in this to excuse me point out in this description is the login type that's something with Windows NT that you can query in deeper and actually find out what type of login and then the next slide actually tells you the type of login and for example did he log in from the network was he sitting at the console itself can't fully answer that because we base our work on an internal network not not an internet site or anything like that we there wasn't the chance for us to see that so I can't answer that question this is a shortcoming a bind view for Windows NT the the internals of an event are all lumped into one field so it's hard to query specific attributes like log on type with bind view for NT so this is although it's a good it's a great auditing tool for Windows NT it does have some shortcomings just wanted to give you a warning types of NT logs that you know we already were we're just talking about the security log but there's also an application log and a system log so some of the ways that you can try and get around this are you know to use a syslog type service and and pump the logs off to a remote server and then something I heard about a black cat during the honey net presentation is if you you have a network intrusion detection system snort was the one used there and you just have it capturing all of the packets if you have it see the syslog entries essentially your IDS is a passive logging system and you can and dump out all the syslog event so you can actually have them in two places beyond just what's on the server itself so it's something to consider depending on how much you value these logs again these are the location of the logs just in case you want to do something with them I believe so yeah yeah this is a tool that comes with the NT resource kit it's it's made by it's called crystal reports and it's really good for querying the data within NT logs it's very robust you can query archived event logs or as it's happening yeah and to do that for those of you that haven't set up already known an NT server you actually when you're setting up in the event viewer you set up the properties of you know how large each of those three logs that we talked about these three different logs you said how large they are when they overwrite you can set up properties to have them archived to a different file and and that's going the wrong direction here that's where this comes in to play of course this is one machine at a time excuse me one server at a time the machine you can set it up for them for halt on on audit logs full or overwrite of course you know we would like large audit files job security yeah this is again going through the fields of crystal reports for NT logs you can really get granular into the details of the events and this is a sample report if you want to present evidence to management etc now we're going to hit specific novel network yes for for certain purposes that would be actually if you're doing an audit on the security of windows NT or you want to see something else but as far as this this presentation is geared more towards okay you have a network it's running it's up in our case it's a very large network and there's a lot of things that are going on so you just want to have the servers as much as possible record information so you can look at it a later date to see what's going on your network or to see if you've got problems but for doing something like a security audit yes using using a loft cracker something like that does have a lot of value of course I would fill up logs very quickly go ahead the question was what's the what is in our example the bank calling for retention and that's really it's a corporate policy set at a high level I actually don't remember what it is off top my head but that's that's a corporate policy decision what it looks like for going on to looking at novel this is the other con utility for novel this is the first screen you can set it up of course to have passwords for the each auditor and of course the system administrator would not have that password no the audit audit con utility works differently it it's authorization is not based upon the NDS rights it's it's it's very good in that perspective it's you know once you get assigned somebody the password for audit con they have it and the administrator's password doesn't override that it's it's locked in and so it's very much a separate utility okay so this is the audit con screen it you can get it shows you how granular you can get this is audit by event and then you pick file events or some other type of event yeah for to pardon the term a lot of ways the the network auditing the ability to the granularity you have it's it's it's almost an auditor's wet dream in a sense because you can't audit just about every single thing that goes on and and granted it is a resource hog and even just auditing a small number of things the network audit con utility is a resource hog across the network because network is chatty so this is something you really have to judge based upon your network you can audit also audit things that the administrator is doing so to provide a oversight of the administrator yeah it depends what he's doing but for example we've got we've got a large network multiple administrators because we've got multiple sites so an attempt to do that because of the many containers I mean you've got a container level administrative at rights you've got overall tree administrative rights so it is actually quite a large undertaking to to try and do that to watch what the administrators are doing yeah and you're absolutely right but that's some of the contention audit runs into with operations like we said earlier we want to audit everything but operations runs the network and that's where we can butt heads at times and decisions have to be made as far as you know because all security has a cost whether it's a real dollars cost or systems costs so that's you know it's risk management deciding how much risk you want to accept how much you want to try and mitigate so again this is looking at the audit con utility looking at the available audit options again you can look at audit directory services is a great change control tool for for auditing directory services this is auditing by events again once you drill down to the actual thing you want to audit it's an on-off this is auditing an individual user so again if you want to audit the administrator you would just pick his his ID from the screen yeah just turn them on and off it's as simple as that this is again our favorite tool bind you for Novel auditing bind you puts all the attributes of operating systems into databases as you can see and mind you has it's a robust tool it can do it you know you can do a lot but this is just for auditing up using it yeah it's a really good tool and when you have a large network enterprise and this but if you have it mixed four and five buying fees really good as far as being able to query across all the different servers or different containers getting what you want really drilling down it does cost a lot of money and the licensing is a little strange but it's it's a very good tool yes for NT there are some most of them it's based upon really using it treating it like a syslog service and dumping it off the server and then just using some sort of standard tool that will go through comb through your syslogs for certain events you gotta remember also from an auditor's point of view we need a tool that we do not have to be administrator to use and run so a lot of the the tools out there that are open source you have to be an admin again this is similar to the crystal reports tool that you'd pick your fields etc scope is very important with buying view because you can you can run it against 10 servers or a thousand servers all at once very convenient no no not for network it uses buying view uses no builds native query tools to do its work it's off there there are none you have to set everything on that you want most of the time from an auditing point of view you know 99% of the time to say it could I see the logs and there are no logs this is the audit con tool what you what you'd see if you actually wanted to view the events it's it's hard to work with that's why we use third-party tools and again it's based on event ID similar to NT going back one even if you clear the audit file this is very important there's going to be an event that hits the audit log so we can note if there's any tampering with the audit log etc what queries to run this is you know if you have time this is a sample of some queries to run a failed login attempts over a threshold of course if there's 10 duplicated attempts etc within a within a short period of time then you know that something may or may not be going on and this is where the power of buying view comes in really handy it on a large network because you can you can basically program these in set a batch job to run and it can just do this and you can even set it up to run on a weekly a monthly basis what have you it in this then the reports are ready so you can run them on a weekend when it won't be as critical for your environment perhaps and and then you have the information to look at again you always want to look at the audit log was cleared for NDS you want to look at creation deletion of container objects or tree objects abuse of privileges would be like the system admin doing things maybe looking at confidential HR files you know that that he has the ability to look at but shouldn't be looking at you you'd have to set auditing for that file and then with the in the event it turned internals like with NT when you double click on an event like with NT and you actually see the file name that was open it's buying you does have a small amount of querying features that you can put in there to do specific things like this you can say okay you know for the other file auditing that we have turned on for administrator X you know tell me every time they've accessed this directory or any files in this directory and that's the type of report that you you could write it's that's why it's down the list it's not an easy one not something that you're gonna do all the time you're gonna get a lot of pushback of course from the administrator when you want to turn this turn these things on nobody likes to be under surveillance I guess okay let's just no questions on the slide we'll move on no correlation is also I only can think of four but I'm sure as looking at logs grows as regulations like HIPAA etc. come out that says you have to do logging and monitoring I see also looking at the market that new tools are coming out and new techniques are coming out for looking at logs so this would be the again correlation would be the same person logging into different physical locations of the network at the same time which is impossible of course so it's a red flag different people signing into the same machine paired events let's say a person logs on but you can't see if they logged off ever so that throws up a red flag new ideas are people are I know there's there's people out there looking to correlate logs logs on the machine on servers themselves like network with firewalls and network transfer layer IDS etc. this is something that is either limited only by your creativity or your budget because in additional logs we haven't touched host base intrusion detection tools but there are ones that exist that you can put on these same servers that in a sense take some of this logic for you and do the correlation with other host-based intrusion detection systems possibly with your network intrusion detection system and and everything so like I said it's limited either by your creativity or your budget on how well you do this okay bind you for NT and no valid advantages this is my favorite administrator access not needed it will run in batch mode so if you want to run it in the middle of the night query multiple machines at once it does all the work for you basically bind you itself has application security so you can you can put a password on bind you so only the auditor can use it of course the disadvantage sometimes especially at NT you have to export the data to a tool like access or even excel to to do more detailed auditing again that was if bind you group the field into group the details of an event into a single field it's very difficult to parse it and audit it bind you can notify you of certain events occur send you an email etc and of course doing no valid NT with the same tools very convenient and bind view also has tools for Unix and Microsoft exchange so not that we're trying to plug them but just showing one tool that you can use in multiple things on an internal network where you're not doing a lot of web services or things like that and meets the criteria that an auditor needs crystal reports another tool we touched on advantage of course is more detailed auditing disadvantages again administrator access is needed and one machine at a time very labor intensive reports to look at and after hours report is is one that you know should be reviewed on a on a regular basis that would be people logging in logging off for other events happening in the middle of the night etc creation creation to leech and objects getting this touches on change control auditors like to know when things are changed and who did them especially important in NDS because it and you know with we didn't really talk about Windows 2000 but you know since they do have ADS now that that type of report on a Windows 2000 much like network is very important because you know knowing what objects are created and deleted because I know for me personally when I've done some penetration on on network before that the first thing you do if you find a misconfigured administrator as you use you grant yourself some rights then you know you set yourself up another user or another way for you to have your rights and then when you're done you can delete it and something like that done in a short up short time frame should set off some some bells and whistles for you next one is a failed file access report that would be my admin looking at the HR files file attribute change report and true to detection report for no veil that would be a user being locked out because he tried to log in he bad username a password over over where you'd have intrusion detection set like five times etc trustee assignment changes report user given supervisor equivalents etc yeah and the trustee assignment one's another key one because much like I was saying just before about you know if you do gain rights because of the complexity of NDS you can you know join you can have a user that's in a group that has administrative rights of the whole tree or to a container you can become a trustee of an administrator who's got the right so if you become a full trustee of the of your administrator you don't actually have the rights but because you are the trustee of the administrator you can make yourself security equal to that administrator at any time you want and turn it off and so you can toggle back and forth quite frequently this is specific to no novel bindery password changes report NDS that Nobel directory system pass people changing that password in the tree changes to the tree that we've already talked about NLM modules loaded unloaded volumes mounted dismounted again Mike would talk about security equivalencies NT specific suggested reports are NT groups created deleted of course NT password changes NT policy changes of course you want to look if somebody's change turning on and off the audit logs you'd want to know about that other considerations that are bleeding edge I guess you can say is remote logging and out of band logging event correlation is what we touched on already we'll see that in the future change control auditing from a protected baseline that's again looking at change control that's a real big one for us as auditors because we like to know when things are changing and for what reason when you when you've got a large production environment we've got a very formal change control process and this gives us a tool to go back and see if it's working like it's supposed to be because when you have a large distributed network and it was with a centralized change control management function they may approve and disprove when changes are going to go in but without something to go back and look you don't know if it's an effective control or not that is something we would like to do it has not been implemented at this time but it would be something that we would love to be able to do at this point it would have to be totally separate and again other types of auditing would be looking at the network transfer layer auditing tools such as you know somebody tries to throw throws a packet at your machine that with a port you don't have open etc this is where you get a event ID information straight off the manufacturer's website Novel that's the document number to get the event IDs and NT you can get some off the website but they really do get a complete database of them it comes with the NT resource kit and that's the file name that comes on the resource kit it's on Microsoft access database but if you query Microsoft's knowledge based on their website you can get a pretty decent list of what things are and it will even you they want you to buy yeah obviously they want you to buy the resource kit but it gives you an idea of you know for each event what are the different parameters that is going to dump into the log for you so it gives you a little bit of an idea of when you're trying to find something that you haven't seen before to get more information for NT again the AutoCAD help file on the resource kit it's just a regular Windows help file but it tells you what each option does on the on the native tools and gives you some description of what each event does NTobjectives.com is a good is a good site actually it was a good site because JD Glasner is now a member of the found stone the information that used to be on NTobjectives is no longer there so that's one thing we need to fix on this and event ID net is also has also been very very helpful again it seems to be like a resurgence of people looking at logs Novel there's a link there for application notes that's it's like a book that tells all about the other con utility and how to use it it's a PDF file and by the way in next to our names inside the the Defcon brochure it it flipped the certification list Bob's actually a certification whore that's why he's got a bunch of the the GSEC stuff from sands so yeah this this originated from a sands paper that they made me write for the GSEC so if you want to look at that papers at sands.org and it's the same long ass titles as presentation and there's our email addresses if you have any questions on specific events etc that's it okay thanks thank you everyone is there any questions