Re: (remotely/automatically) Detecting IIS changes?
From: x y, mvp (levinson_k@despammed.com)
Date: 03/21/03
- Next message: Andy Freeman: "Re: Problem installing IIS - admxprox.dll"
- Previous message: x y, mvp: "Re: Best practices for single IIS webserver"
- In reply to: Ralph: "(remotely/automatically) Detecting IIS changes?"
- Next in thread: x y, mvp: "Re: (remotely/automatically) Detecting IIS changes?"
- Reply: x y, mvp: "Re: (remotely/automatically) Detecting IIS changes?"
- Reply: Keith W. McCammon: "Re: (remotely/automatically) Detecting IIS changes?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y, mvp" <levinson_k@despammed.com> Date: Fri, 21 Mar 2003 08:08:01 -0500
Well, watching the metabase is not a bad idea, but it's not the first thing
I would watch, since IMHO most exploits are not going to bother to change
the metabase. Before you watch the metabase, make sure you're watching all
files. SIM from www.gfi.com is free and is the best free solution I've
found for Windows. [though by default it runs just once a day, AFAIK.] The
files you need to watch vary from machine to machine, but tuning is easy.
Just run it for a week or so and for files that change, confirm that they
look like legitimate changes [easier if the server is pre-production and not
on the internet or network yet] and then exclude those files from being
watched. Very effective for detecting many kinds of incidents and teaching
you about which files should and should not change. Be sure you watch the
startup folders.
For monitoring registry files, you could use REGEDT32 or a Group Policy MMC
to enable auditing on, say, the HKLM hive to monitor for changes made by any
user, and then use a Windows event log monitor to watch the event log for
changes. That's what the ISS RealSecure HIDS does, except that ISS is
expensive and IMHO not the best. www.ipsentry.com is a tool that will
monitor windows log file entries and a whole lot more, for around $120 [you
can monitor multiple servers with just one copy]. Monitoring windows log
file is processor intensive, so I'd run it on a dedicated workstation or a
server with low CPU utilization. IPSentry can call your cell phone, pager,
email, phone, send popup messages, stop or restart services, run batch files
and other commands, etc. [Again, there are probably lots of registry values
that change regularly, so exclude those registry values or keys from being
audited.]
DUMPEL from the Windows resource kit [not free, but comes free with technet]
and the free PS log dumping utility from www.sysinternals.com will let you
monitor these logs from a batch file, e.g. dump the relevant parts of the
log to a text file, and compare the text file to the file from the previous
dump using something like the FC command. Cruder, but free and
customizable. I suggest running DUMPEL locally as I've had inconsitent
results running it remotely against the Security log. If you do this, the
NET SEND command or BLAT would let you send popup messages or email alerts.
The most important registry keys to watch would be the ones where files,
processes and services are started from when Windows starts. www.google.com
should tell you which ones. Some of these might include for starters:
hklm\software\microsoft\windows\currentversion\run
hklm\system\currentcontrolset\services
Links to help with enabling auditing for intrusion detection:
http://securityadmin.info/faq.htm#auditing
You could also use file auditing to audit file changes, additions and
deletions the same way registry changes are monitored above.
I guess you know this, but hackers can edit or delete log files including
windows event log files to hide intrusions. Using one of several SYSLOG
solutions such as NTSYSLOG along with a free or not free syslog client like
www.kiwisyslog.com can help you try to maintain windows event log integrity
by exporting your log to an external dedicated server. You could then use
syslog or another solution to monitor the syslog entries and generate alerts
as necessary.
"Ralph" <ralphlos@hotmail.com> wrote in message
news:1d2901c2eef9$adf3ab10$a601280a@phx.gbl...
> Hi all, I'm working with a team which has been tasked with
> the goal of using a product such as TripWire to detect
> changes (both intentional and otherwise) within our IIS
> servers. Maybe someone can suggest a particular
> file/files/folders/registry keys to watch for changes in?
> I can only think of the global.asa file, but that's lately
> changed to my knowledge.
> For example, we'd like to be alerted when an
> administrator creates a new "Virtual Root" anywhere on the
> IIS box. This is often done hap-hazardly and the IIS admin
> team doesn't always report the creation of the site....so
> we'd like to come up with a way to monitor them....suggestions?
- Next message: Andy Freeman: "Re: Problem installing IIS - admxprox.dll"
- Previous message: x y, mvp: "Re: Best practices for single IIS webserver"
- In reply to: Ralph: "(remotely/automatically) Detecting IIS changes?"
- Next in thread: x y, mvp: "Re: (remotely/automatically) Detecting IIS changes?"
- Reply: x y, mvp: "Re: (remotely/automatically) Detecting IIS changes?"
- Reply: Keith W. McCammon: "Re: (remotely/automatically) Detecting IIS changes?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
