Windows2000 Server Intrusion Monitoring

  

The Win2003_2000 tutorial you are looking at is: Windows2000 Server Intrusion Monitoring.

Win2000 Server Intrusion Monitoring Win2000 Server security configuration, after careful configuration of Win2000 server can defend against more than 90% of intrusion and penetration, but system security is a continuous process, with the emergence of new vulnerabilities and servers The application changes, the security status of the system is also constantly changing; at the same time, because the offensive and defensive is a contradictory unity, the Tao Xiaomao and the Devils are constantly changing, so the system administrator can not guarantee A server that is providing services will never be compromised for a long time.

Therefore, the security configuration server is not the end of safety, but is rather the beginning of a long tedious security work, I will explore the preliminary Win2000 server intrusion detection techniques, hoping to help you long-term maintenance of server security .

intrusion detection refers to the use detection Win2000 Server own functions and system administrators to write your own software /script, and use a firewall (Firewall) or Intrusion Detection System (IDS) technique is not discussed in this article Within the scope.

Now suppose: We have a Win2000 Server servers, and through the initial security configuration (For details on security configuration can be found in Win2000 Server security configuration entry & lt; a designtimesp = 26230 & gt;), in which case Next, most of the intruders will be turned away, slow, I am talking about most, not all, after the initial security configuration of the server can protect most of the script kid (script family - only use others The person who wrote the program to invade the server), encountered a real master, is still vulnerable. Although the real master does not enter other people's servers casually, it is difficult to ensure that several evil-handed evil masters have taken a fancy to your server. (I am really so bad?) Moreover, there is often a period of vacuum between the discovery of vulnerabilities and the release of patches. Anyone who knows the vulnerability information can take advantage of it. At this time, the intrusion detection technology is very important.

intrusion detection mainly depending on the application to provide a corresponding service should have the appropriate testing and analysis system to be protected, for the average host, the major should note the following aspects:

1, based on the detection

WWW service 80-port invasion is probably one of the most common services, and because of the service facing the majority of users, service traffic and complexity are high, so The most vulnerable vulnerabilities and intrusion techniques for this service. For NT, IIS has always been a headache for system administrators (I can't wait to shut down port 80), but fortunately, the logging feature that comes with IIS can be a powerful helper for intrusion detection to some extent. The log file that comes with IIS is stored in the System32/LogFiles directory by default. It is generally scrolled by 24 hours. It can be configured in detail in the IIS Manager. (I do not care how specific with you, but if you do not detailed records, finding out the intruder's IP back from time to cry)

now we'll assume that (how old assumptions Yeah, do not trouble trouble?) Do not Urgent, I can't really black out a host in order to write this article, so I have to assume that we assume a WEB server and open the WWW service. You are the system administrator of this server and have carefully configured it. IIS, using W3C extended log format, and at least recorded time (Time), client IP (Client IP), method (Method), URI resource (URI Stem), URI query (URI Query), protocol status (Protocol Status), we use the more popular Unicode vulnerability for analysis: Open the IE window, enter: 127.0.0.11/scripts/..%c1%1c../winnt/system32/cmd.exe in the address bar? /c+dir By default, you can see the directory listing (what? You have done security configuration, can't see it? Restore the default installation, we have to do an experiment), let's take a look at the IIS logs. What's up, open Ex010318.log (Ex stands for W3C extended format, followed by a string of numbers representing the log record date): 07:42:58 127.0.0.1 GET/scripts/..../winnt/system32cmd.exe /The log above c+dir 200 indicates that at 07:42:58 GMT (ie 23:42:58 GMT), there is a guy (intruder) who uses Unicode on your machine from the IP of 127.0.0.1. Vulnerability (%c1%1c is decoded as "", the actual situation will be slightly different due to different Windows language versions) Run cmd.exe, the parameter is /c dir, the result is successful (HTTP 200 means correct return) . (Wow, records have to be really complete, after a hesitant messy play Unicode) under

most cases, IIS log will faithfully record any request it receives (there is not special IIS records attacks, which we will discuss later, so a good system administrator should be good at using this to discover intrusion attempts to protect your system. However, IIS logs are tens of megabytes, and traffic is even dozens of G. It is almost impossible to manually check. The only option is to use log analysis software to write a log analysis software (in fact, a text filter) in any language. Very simple, but considering some actual situations (such as the administrator will not write the program, or the log analysis software can not be found on the server), I can tell you a simple method, let's say you want to know if anyone from port 80 To try to get your Global.asa file, you can use the following CMD command: find "Global.asa" ex010318.log /i This command uses the built-in find.exe tool (so you can't find it in an emergency) You can easily find the string you want to filter from the text file, "Global.asa" is the string to be queried, ex010318.log is the text file to be filtered, /i means ignore case. Because I have no intention of writing this article as a Microsoft Help document, please check the Win2000 help file for other parameters of this command and the usage of its enhanced version of FindStr.exe.

whether based on log analysis software or Find command, you can create a sensitive list of strings that contains the existing IIS vulnerabilities (such as "+ .htr") and the future will be loopholes may appear Called resources (such as Global.asa or cmd.exe), by filtering this constantly updated string table, you can understand the intruder's actions as early as possible.

need to be reminded that the use of any log analysis software will take up some system resources, therefore, IIS log analysis for such a low priority task is performed automatically would be more appropriate on the night when idle, if the write A script that sends the filtered suspicious text to the system administrator is even more perfect. At the same time, if the sensitive string table is large and the filtering strategy is complicated, I suggest that it is more cost-effective to write a special program in C.

2, based on the detection

security log IIS log-based intrusion detection through, we can know the whereabouts of those watching in advance (if you're dealing with misconduct, watching for those who will become the invaders at any time) However, IIS logs are not omnipotent. It can't even log intrusions from port 80 under certain circumstances. According to my analysis of IIS log system, IIS will only write logs after a request is completed, in other words, if a request is made. If it fails halfway, there will be no trace of it in the log file (the failure here is not the case of HTTP400 error, but the HTTP request is not completed from the TCP layer, such as abnormal interruption when POST large amount of data). For intruders, it is possible to bypass the logging system to complete a large number of activities.

Moreover, for non-80 Only the host, the intruder can access the server from other services, therefore, it is necessary to establish a comprehensive security monitoring system.

Win2000 comes with a very strong security log system privileges from the user to log on have very detailed records, unfortunately, the default installation is closed under the safety audit that some hosts are black After that, there is no way to track the intruders. So, the first step we have to do is to open the necessary audits in the Administrative Tools - Local Security Policy - Local Policies - Audit Policy. In general, login events and account management are the events we care about the most, while opening successes and failures. Auditing is necessary, and other audits must also open a failed audit, which can make the intruder difficult and unfortunate. Just opening the security audit does not completely solve the problem. If the size and coverage of the security log are not well configured, a sophisticated intruder can cover his true whereabouts through flood-like forged intrusion requests. Normally, specifying the size of the security log to 50MB and allowing only the log to be over 7 days old can avoid this.

security log is not set up to check the security log is not set with almost as bad (the only advantage is you can trace the intruder after dark), therefore, to develop a security log of the inspection mechanism is also very important As a security log, the recommended check time is every morning. This is because the intruder likes night action (faster speed, or if you can't even get in half when you invade, but you can't cry when you cry) The first thing is to see if the log is abnormal, and then you can rest assured to do something else. If you like, you can write a script to the Security log as a mail sent to you every day (Do not believe this, and if you changed what master script up, send "without incident" ...... day)

In addition to the security log, the system log and the application log are also very good auxiliary monitoring tools. In general, the intruder leaves a mark in the security log (if he gets the Admin permission, he will definitely remove the trace). There will also be clues in the system and application logs. As a system administrator, there must be no abnormal attitudes, so it is difficult for intruders to hide their whereabouts.

3, file access log and the protection of critical files

addition to the system default security audits for critical files, plus we have set up a log file access, access to their records.

There are many options file access: access, modify, perform, create, property changes ...... In general, the concern will be able to access and modify the surveillance has played a significant role.

For example, if we monitor the changes to the system directory, create, or even access to some important documents (such as cmd.exe,

Copyright © Windows knowledge All Rights Reserved