General discussion

Locked

Audit Security Relevant Files

By Chief D ·
-#1. I must audit security-relevant objects and directories in Windows. Specifically, Operating system executables, operating system configuration, system management and maintenance executables.
-#2. I'm tasked to reduce the size of audits.
-I need a comprehensive list of the above files to audit in Windows NT, Windows 2000, and Windows XP.
-Can this auditing be done by selecting file types (.exe, .cmd, etc.) within the Windows directories?
-What file types cover all the required security-relevant operating system files?
-Any ideas on accomplishing these 2 tasks without turning on auditing for the entire Windows directory (genrates massive audit logs)?

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by howard_nyc In reply to Audit Security Relevant F ...

suggestions (1 of 3)
introduction:
there are a number of things that are vulnerabilities at the highest levels of: MS WIN OS and MS AD and MS SQL SERVER? and before you do any of these things, think it through and check with you CIO and/or network manager since inter-departmental politics will be important?
---
MS AD. . .
---
1. Inventory of all network IDs are to be reviewed quarterly --or more often --First time you will need to do all of these things (but the good news is that once done, it is a matter of handling new IDs)
2. check for accidental (and deliberate duplications) of IDs (e.g., ?HOWARD? and ?H0WARD?? note the ?zero? in place of the ?oh? )
3. Obsolete IDs (e.g., Jane Smith gets married and HR makes you perform the IT portion of the change-of-name, only you forget to delete ?JANE SMITH? after creating ?JANE SMITH-KLIEN?)
4. Neglecting to set expiration dates for IDs assigned to consultants, interns, temp employees, etc.;
5. Neglecting to disable IDs assigned to vendors for use during updates and/or debugging;
6. Incomplete descriptive info for each ID in the AD?s description? usually job title, phone #, etc.; when ID is associated with an application, then the application and its version
7. Cross-referencing IDs with current staff roster (get that from HR)
8. Establishing liaison with HR to get revised (total) roster every month (i.e., first Monday, last Friday, etc.) and then look for the deltas?
9. Establish policy for departing employees to be ID will be disabled on the date of separation
10. Establish policy for employees out on extended leave to be ID will be disabled on the start date of leave
11. Identify all IDs used off-site? VPN, dial in, public computers in hotels, etc.
12. Determine the MACs for laptops, office desktops and home desktops in order to run scans for anomalous usage

Collapse -

by howard_nyc In reply to Audit Security Relevant F ...

suggestions (2 of 3)
---
MS SQL SERVER
---
Cancel Announcement of SQL Server on a Network:
1. Click (button) Start
2. Click (start menu) Settings
3. Click (start sub-menu) Control Panel
4. double-click Network.
5. Click (tab) Services
6. In the Network Services list, click Server, and then click Properties.
7. Select Make Browser Broadcasts to LAN Manager 2.x Clients to reveal the server, or clear the check box to hide the server
8. Update documentation

Collapse -

by howard_nyc In reply to Audit Security Relevant F ...

suggestions (3 of 3)
---
MS WIN OS (desktop and server)
---
Lock Down Remote Access to MS Windows Registry:
1. Editing the registry can be risky, so be sure you have a verified backup before you begin.
2. Go to Start | Run.
3. Enter Regedt32.exe, and click OK.
4. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SecurePipeServers.
5. If the winreg key is present, skip to Step 8. If this key doesn't exist, go to Edit | Add Key.
6. Name the key winreg, and give it a class of REG_SZ.
7. Select the new key, and go to Edit | Add Value.
8. Enter the following:
Name: Description
Type: REG_SZ
Value: Registry Server
9. Select the winreg key, and go to Security | Permissions.
10. Make sure the local System Administrators Group has full access, and give read access to the System account and the Everyone group.
11. Close the Registry Editor, and restart the computer.

Back to Security Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums