1 / 18

Auditing your Microsoft Windows system Host-Based Intrusion Detection system

Auditing your Microsoft Windows system Host-Based Intrusion Detection system. Cao er kai ( 曹爾凱 ) g92430023@comm.ccu.edu.tw Tel: 05-272-0411 Ext. 23535. Outline. Description Purpose Principle and Pre-Study Required Facilities Step by step Summary Reference. Description.

silas-bradshaw
Download Presentation

Auditing your Microsoft Windows system Host-Based Intrusion Detection system

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing yourMicrosoft Windows systemHost-Based Intrusion Detection system Cao er kai (曹爾凱) g92430023@comm.ccu.edu.tw Tel: 05-272-0411 Ext. 23535 2004/03/04

  2. Outline • Description • Purpose • Principle and Pre-Study • Required Facilities • Step by step • Summary • Reference 2004/03/04

  3. Description • After a system has been hardened, the final step is to baseline it so that changes that are indicative of a successful intrusion can be detected. • The system logs are an invaluable source of information regarding the activity on your systems. 2004/03/04

  4. Purpose • To introduce you to simple tools that can be used to create powerful baseline and auditing methods for your systems 2004/03/04

  5. Required Facilities • Hardware • PC or Workstation with Microsoft Windows 2000 or XP • Software • dumpel • http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpel-o.asp • Microsoft Excel • Micorsoft Windows 2000 resource kit • Fport • http://www.foundstone.com/resources/termsofuse.htm?file=fport.zip 2004/03/04

  6. Challenge procedure • Analyze log files • Baseline open ports • Baseline running services • Schedule baseline audits 2004/03/04

  7. Step (I): Analyze log files • Download “dumpel” for analyze the log files and decompress that. 2004/03/04

  8. Use dumpel.exe to output the system log file Dumpel –f devent –l system -t 2004/03/04

  9. process the log file by Micorsoft Excel 2004/03/04

  10. The import wizard setup 2004/03/04

  11. Sort the data 2004/03/04

  12. Filter the Event ID 2004/03/04

  13. Step (II): Baseline open ports • Download and then uncompress Fport • Execute fport and redirect its output to a baseline file 2004/03/04

  14. Execute netsvc and redirect its output to a baseline file for future reference useage NETSVC service_name \\computer_name /command 2004/03/04

  15. Schedule the baseline audits • Test the baseline batch file. 2004/03/04

  16. Setup the scheduled task 2004/03/04

  17. Setup with the schedule wizard 2004/03/04

  18. summary • Before a hardened system is put into production, a baseline of the system is made for future auditing and forensic purpose • Simple tools can be scripted to easily monitor the large system for any unexpected changes 2004/03/04

More Related