[Dshield] Query on win2k security

Faber, Sidney sfaber at federatedinv.com
Wed Dec 14 14:12:51 GMT 2005


Mike,

You can check out the CIS guides that give some guidance on sensitive
areas of the registry and the file system.  

First, some thoughts on permissions and monitoring:
I wouldn't suggest changing any of the baseline permissions on any
operating system areas of the registry or file system unless you use the
Microsoft-supplied group policy templates.  These changes can have
unexpected, irrevocable consequences that you might not notice for a
while (e.g., the inability to patch, or to clean out your recycle bin,
etc.)  Remember, we're working with the "new" Microsoft, the one that
gives solid security guidance (so long as you don't shoot for legacy
compliance).

You could approach the audit finding in a few different ways.  One way
would be to turn on auditing for a few particularly sensitive
directories and registry hives; then you could collect event logs and
act on "interesting" items--that's a pretty intense solution.  Another
way might be to periodically assess the machines in question--read the
registry keys, inventory the directories, and compare it to your last
snapshot.

Second, a general comment on audits:
Just because an auditor has a finding, it doesn't necessarily mean the
finding is justified.  Good auditors will discuss the finding with you
before they put it in writing, and strive to understand what's going on.
They should be working off of a specific line item, a particular control
that they want to see in place.  Try to find the control and what they
feel is missing.  Try to show them any other controls you have in place
to mitigate the issue.  And if you can't get an understanding, then just
be assertive in your response.  Quote current industry standards from
CIS, NIS and Microsoft in your response to their findings, so that when
senior management review the finding, they can tell that its bogus.

Finally, if you already have some bindview stuff in house, you might
want to check out their new "compliance center" product.  It's got
canned reports for audit reports.  If, for instance, E&Y comes in for an
audit, you can give them an out-of-the-box report to answer all their
SOX questions.  There's a bit of a fire sale going on until the end of
the year because of the acquisition, so it might be a good time to buy.

HTH!
sid





> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Mike LeBlanc
> Sent: Tuesday, December 13, 2005 8:28 PM
> To: General DShield Discussion List
> Subject: [Dshield] Query on win2k security
> Importance: High
> 
> 
> Can anyone point me to a good resource on win2k security 
> (general). Internal audit has hit me with an item that I need 
> to be monitoring directories and registry entries for 
> changes. When pressed audit will not tell me which entries, 
> but the examples they gave me were things that are covered by 
> GPOs.  They are still under the NT security model, and when I 
> stated these would be covered under GPOs he asked me what a 
> GPO was!!! His "finding" was rather vague (as many of them are).
> 
> I've looked on the NIST/NSA sites for specifics on win2k 
> (server) doc, but don't seem to find any.  Can someone give 
> me a "best practice" approach to answer his concern regarding 
> server security (monitoring).  I am looking at HIDS for the 
> servers anyway -- can folks share what they are doing for 
> server security?  Auditing?  HIDS/HIPS? Syslogging from audit 
> logs?  What are folks doing for syslogging normalization?
> 
> We use Bindview for semi-regular review, but many of the 
> canned reports cover old issues, and after the fact.  I 
> really am leaning toward a "live" solution like HIDS.  
> Thoughts? Comments?
> 
> Any thoughts, direction is appreciated!
> 
> ml
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of 
> your own couch: https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: 
http://www.dshield.org/mailman/listinfo/list


Unless notified to the contrary by the sender, the recipient should consider the contents of this message including any attachments to be confidential. If you are not the intended recipient and have received this message in error, please contact Federated Investors immediately by sending an email to notify at federatedinv.com and then delete this message from your system. Saving, copying or disseminating an inadvertently received email could violate state and Federal privacy laws. 

All emails received by or sent from Federated may be provided to regulators or law enforcement agencies, or used for other purposes consistent with Federated's business interests. Thank you for your cooperation.





More information about the list mailing list