Windows 2000/XP DSS Auditing
Written by: Darren Bennett - CISSP
Originally Written 08/04/04
Last Updated 08/07/04
Intro:
The NISPOM “Chapter 8” establishes requirements for auditing and securing information systems (IS). This document describes how to meet the requirements in preparation for Certification and Accreditation (C&A). The information included is intended to be used as a guide and is not endorsed by the DoD/DSS. All Information systems have unique requirements and therefore, it is important that the DSS Chapter 8 documentation be your primary reference to ensure compliance.
References:
The following documents/sites were used in developing this guide:
● http://www.dss.mil/ (The DSS Website)
● http://www.dss.mil/isec/ch8w_isl.pdf (NISPOM Chapter 8)
● DSS Auditing Documentation for Windows 2000/XP
(Originally prepared by Northrop Grumman IS Security, updated by Steven Scott (ISSP/DSS) and Anna Schaffroth (ISSM/SAIC))
● http://www.sans.org/rr/ (The SANS reading room)
● http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/09detect.mspx (Microsoft Corporation Solution for Securing Windows 2000 Server
● http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/520.mspx (Microsoft Corporation Security Configuration Manager tools)
● http://www.windowsecurity.com/articles/Securing_the_Windows_2000_Registry.html (Windows Security.com Securing the registry reference)
Updates:
**NOTE** This is a “living” document and will be updated regularly. Check http://www.sans.org/score to ensure you have the latest version.
Any improvements, changes or suggestions for modification should be sent to . Feedback is encouraged!
Contents:
I. Configure Login Banners:
1. Example Banner
- Implementation
II. Restrict alternate boot device access, disable access to the system
PROM:
1. Explanation
2. Implementation
III. Configure File System Permissions and Auditing:
1. Verify that the file system is NTFS (convert if necessary)
2. Secure the Windows OS filesystem and enable auditing
3. Enable Security and Auditing for the SAM database, The Registry, Event Log Files (Audit Archive) and Anti virus software
IV. Set Security Policies, Settings, Rights Assignments and Special configuration options
V. Notes about user accounts
VI. Audits and Audit files:
1. Configuring Event Viewer
2. Performing Security Audits and saving log files
VII. Policy review questions, Windows Event IDs
I. Login Banners:
- Example Banner:
The following text must be displayed at the login screen for all users.
***DoD Warning Banner***
Use of this or any other DoD interest computer system constitutes a consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy.
If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes a consent to monitoring at all times.
2. Implementing:
To implement a logon banner on Windows 2000/XP, perform the following steps:
a. Open Control-Panel and double-click “Administrative Tools”
b. Select “Local Security Policy”, “Security Options” and follow the steps below that apply to your version of Windows
Windows XP:
Step 1-For Windows XP, click on “Interactive logon: Message title for users attempting to log on” and enter the header (***DoD Warning Banner***)
Step 2 -For Windows XP, click on “Interactive logon: Message text for users attempting to log on” and enter the text specified in step 1.1. (minus the header)
Windows 2000:
Step 1-For Windows 2000, click on “Message title for users attempting to logon” and enter the header (***DoD Warning Banner***)
Step 2-For Windows 2000, click on “Message text for users attempting to log on” and enter the text specified in step 1.1. (minus the header)
(This is an example of the logon banner title field on Windows XP:)
II. Restrict alternate boot device access and disable access (require authentication) to the system PROM/BIOS
1. Explanation
In order to prevent unauthorized access attempts from alternate boot devices on the system, we must configure the system BIOS (aka PROM) to prevent booting from all devices (other than the approved system disk). Booting from network interfaces should also be disabled. A BIOS password must also be set and activated to prevent a user from changing these settings.
2. Implementation
Modifying the PROM/BIOS settings differs from system to system. Consult your system hardware documentation for details on how to restrict which devices are boot-able and enable password protection of the PROM/BIOS.
III. Configure File System Permissions
1. Verify that the file system is NTFS (convert if necessary)
In the Windows operating system environment, a file system must be NTFS format to effectively audit file/system access attempts and setup security.
Steps to verify that a Windows file system is NTFS:
a. Double click on the “My Computer” Icon
b. Select the hard disk (i.e. “C:”) and right click
c. Select “Properties”, In the “General” tab, the “File system” field should display “NTFS”
d. Repeat steps a-c for all hard disks on the system
(Verifying that the file system is NTFS)
Steps to convert a file system to NTFS:
a. Click “Start”, “Run”
b. Type “convert c: /fs:ntfs” in the Run dialog that opens and click “ok” (replace the “c:” with the letter of the drive to convert if multiple drives need to be converted)
c. Repeat steps a-b for each disk on the system
(Converting a disk to NTFS)
- Secure the Windows OS files and enabling
auditing
a. Open Windows Explorer and right click on the directory containing the Windows OS (usually either c:\windows or c:\winnt)
b. Select “Properties” and click on the “Security” tab
c. Verify that the permissions match
the following (and no other access has been granted)
Administrators (Group) - Full Control
SYSTEM (Group) - Full Control
Administrator (User) - Full Control
Authenticated Users (Group) - Read/Execute (ONLY)
d. Click the “Advanced” tab, click “Permissions”
e. Make sure that the check box “Reset
permissions on all child objects and enable
propagation of inheritable permissions” is
checked
f. Apply the settings by clicking “ok” followed by
“yes”
g. To prevent difficulties with printing for non-
administrative users, edit the permissions on the
“C:\windows\system32\spool” and
“C:\windows\temp directories” as follows:
· Right-click the directory, select
Properties, and then select Security
tab
· Select “Authenticated Users” and check “Allow” for “Write” access
h. Enable auditing of the Windows OS directory:
· Open the Windows OS directory (C:\windows or c:\winnt) in
Explorer and then right-click on it and select “properties”, “advanced”
· Click the “auditing” tab.
· Click “add” and select “Authenticated Users”
· Select all entries from the “Failed” column except “Write Attributes” and “Write Extended Attributes”
· The settings for auditing should match the following:
(Settings for the Auditing of the Windows OS directory)
(Settings for auditing of the Windows OS directory)
3. Enable security and auditing for the SAM database, The Registry, Event Log Files (Audit Archive) and Anti virus software
a. Setting security and auditing for the SAM
database
1. Navigate to the SAM database via Windows explorer. (the SAM database resides in two directories- c:\winnt\repair and c:\winnt\system32\config
(or for Windows 2000)
c:\windows\repair and
c:\windows\system32\config
2. Right click the “sam” file and then
click “properities”
- Click on the “Security” tab
- Ensure that the settings displayed when both files are examined match the following (with no additional users having access to these files):
(Security settings for the c:\windows\repair\sam and c:\windows\system32\config\sam files)
b. Setting security and auditing for the registry
- Secure remote access to the registry:
a. Click on “Start”, “Run” and type “rededt32.exe” then click “OK”
b. Open HKEY_Local_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers
c. If a “winreg” key exists, select it and then select “security”, “permissions” (if not, skip to step f)
d. Allow the Administrators (Group) full access, the System and Authenticated Users(Groups) read access, remove the Everyone (Group) if it is listed
e. Exit rededt32 and reboot the system.
f. If the winreg key was not present, create a new one by selecting “edit”, “add key” and naming the key “winreg”
g. Click the new key, select “edit”, “add value” and enter:
Name: Description
Type: REG_SZ
Value: Registry Server
h. Follow steps d and e above to secure the key
2. Enable auditing of specific keys and subkeys
a. From step d (above), click the
advanced button in the
permissions window and enable
auditing of specific keys and
subkeys
b. The
HKEY_LOCAL_MACHINE\SYSTE
M\CurrentControlSet\Control\Sec
urePipeServer\winreg key should
have auditing enabled
3. Limit access to the registry by restricting the number of users with Administrator access
4. Remove the registry editor from the system if possible to deter modification attempts
5. Disable Registry tools through GPO by setting the GPO, creating a group and assigning the GPO to all users (except Administrators). This will prevent the use of regedit and rededt32
(User Configuration\Administrative Templates\System)
- Audit archive folder security
An “Audit Archive” folder should be created on the desktop of the person tasked with performing system audits.
Logon as the Audit user, right-click on his/her desktop and select “new”, “folder”, name the folder “Audit Archive”
Limit permissions on this folder to the auditor and SYSTEM accounts.
Right-click on the “Audit Archive” folder, click properties and select the security tab.
Remove the access for the Administrators group. The only permissions granted to access the “Audit Archive” folder should be for the audit user and SYSTEM. (they will be listed in the “Name list”)
(Permissions for Audit Archive folder on Auditors desktop)
**NOTE**(In this example, the Auditor has the user name “Auditor”. This is not recommended. The Auditor should have a genuine user name (i.e. DoeJ) then, under description the term Auditor can be used. This makes it clear as to who has been assigned the role of auditor for the system.
- Anti-virus Software Security and Auditing
The anti-virus software on the system must be protected from modification from anyone except the Administrator. The steps required to do this will differ based on the anti-virus product in use. The following steps provide an example of how to secure Symantec Norton Anti-virus. Securing other anti-virus products will require similar procedures (performed on different file/directory locations)
Securing Norton Anti-virus and enabling auditing:
Securing Anti-virus:
- Right-click c:\program files\common files\symantec shared\ in Windows explorer
- Select “properties”, then click the “security” tab
- Verify that the following users/groups (and ONLY the following) have the permissions shown below:
Administrators (Group) - Full Control
Authenticated Users (Group) - Read and Execute
SYSTEM - Full Control
Enabling Auditing of the Anti-virus program:
- Right-click “c:\program files\common files\symantec shared\” in Windows Explorer
2. Click “properties”, click the “security” tab
and click “advanced”
3. Click “Auditing”
4. Click “Add”, “Authenticated Users”
5. Select all entries in the failed column
except “Write Attributes” and “Write
Extended Attributes”
(Configuring auditing for Anti-virus software)
IV. Set Security Policies, Settings, Rights Assignments and Special configuration options:
1. Security Settings/Policies/Settings
Though not covered in this document, using domain security policies, the policy settings covered in this section can be implemented from the server and applied to it's clients. Additionally, creating a policy file template and using it on each system could assist in implementing the settings shown here.
a. Creating the local security policy:
· To create a local security policy for Windows 2000/XP, click “start”, “settings”, “control panel”, “administrative tools” and then double-click “Local Security Policy”
· You should see the following screen:
(Local Security Settings Screen)
Select (click) “Account Policies”, “Password Policy” and make sure the settings match the settings below:
(Local Security Settings – Password Policy)
Select (Click) “Account Policies”, “Account Lockout Policy” and make the settings match the following:
Select (Click) “Local Policies”, “Audit Policy” and set the Local Audit Policy as follows:
Select (Click) “User Rights Assignment” (below “Local Policies”), set the Local User Rights Assignment to permit only Administrators to modify the system time:
(Modifying who can change the system time)
2. Rights Assignments and Special configuration options
In order to allow a non-administrative user to perform audits, the “Manage auditing and security log” setting needs to have that user added. This can be done by “double-clicking the “Manage auditing and security log” field within “Local Security Settings”, “Local Policies”, “User Rights Assignment”.
(Modifying who can manage auditing and security logs)
A couple of “special” configuration options that need to be set are:
a. “Do not display last user name in logon screen:”
This is set from the “Local Policies”, “Security Options”
portion of the “Local Security Settings” window.
Double-click on “Do not display last user name in logon
screen” and select “Enabled”
(Setting the “Do not display last user name in logon screen”)
b. Anti virus Software updates:
The anti virus software must have it's virus
“signatures” updated every thirty days (at minimum) by a
user with Administrator access. The procedures to
update virus signatures differ between manufacturers
(refer to the documentation that came with your
software for information on how to perform these
updates)
1. Notes about user accounts
● Only required and approved system accounts should exist
● The “Guest” account (and any other unused system accounts)should be disabled
a. Right-click on “My Computer”, select “Manage”,
click “Local Users and Groups”, click “Users”