Download presentation
Presentation is loading. Please wait.
1
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/041 Auditing your Microsoft Windows system Host-Based Intrusion Detection system Cao er kai ( 曹爾凱 ) g92430023@comm.ccu.edu.tw Tel: 05-272-0411 Ext. 23535
2
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/042 Outline Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference
3
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/043 Description After a system has been hardened, the final step is to baseline it so that changes that are indicative of a successful intrusion can be detected. The system logs are an invaluable source of information regarding the activity on your systems.
4
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/044 Purpose To introduce you to simple tools that can be used to create powerful baseline and auditing methods for your systems
5
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/045 Required Facilities Hardware PC or Workstation with Microsoft Windows 2000 or XP Software dumpel http://www.microsoft.com/windows2000/techinfo/reskit/tools/e xisting/dumpel-o.asp http://www.microsoft.com/windows2000/techinfo/reskit/tools/e xisting/dumpel-o.asp Microsoft Excel Micorsoft Windows 2000 resource kit Fport http://www.foundstone.com/resources/termsofuse.htm?file=fpor t.zip http://www.foundstone.com/resources/termsofuse.htm?file=fpor t.zip
6
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/046 Challenge procedure Analyze log files Baseline open ports Baseline running services Schedule baseline audits
7
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/047 Step (I): Analyze log files Download “dumpel” for analyze the log files and decompress that.
8
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/048 Use dumpel.exe to output the system log file Dumpel –f devent –l system -t
9
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/049 process the log file by Micorsoft Excel
10
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0410 The import wizard setup
11
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0411 Sort the data
12
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0412 Filter the Event ID
13
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0413 Step (II): Baseline open ports Download and then uncompress Fport Execute fport and redirect its output to a baseline file
14
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0414 useage NETSVC service_name \\computer_name /command Execute netsvc and redirect its output to a baseline file for future reference
15
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0415 Schedule the baseline audits Test the baseline batch file.
16
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0416 Setup the scheduled task
17
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0417 Setup with the schedule wizard
18
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/0418 summary Before a hardened system is put into production, a baseline of the system is made for future auditing and forensic purpose Simple tools can be scripted to easily monitor the large system for any unexpected changes
Similar presentations
