RE: [logs] Windows Logs Auditing

From: Luis Toloza (pf_ltolozaat_private)
Date: Mon Aug 11 2003 - 14:24:10 PDT

  • Next message: M Taylor: "Re: [logs] understanding IPTABLES logs"

    Thanks a lot guys!,
    the last days I've been reading several documents about it, and now I see
    the picture
    more clearly.
    
    Regards,
    
    Luis.
    
    -----Mensaje original-----
    De: Eric Fitzgerald [mailto:ericfat_private]
    Enviado el: Lunes, 11 de Agosto de 2003 17:23
    Para: Luis Toloza; loganalysisat_private
    Asunto: RE: [logs] Windows Logs Auditing
    
    
    Hi Luis,
    
    You don't need to buy new machines for auditing (unless you deploy an audit
    collection product which requires separate machines).
    
    Auditing will impact performance, but usually only slightly.  However, it
    can have a substantial impact on servers that perform a large number of
    auditable actions.
    
    For instance, if you turn on auditing on a workstation, but do not deploy
    SACLs, the impact will be minimal.
    
    If you turn on logon/logoff, account logon, or DS access auditing on a busy
    domain controller, then performance will be impacted noticably.
    
    There are several things to consider:
    
    1) Have a threat model before enabling auditing.  Don't just turn it on to
    have it on.
    2) Don't enable "Privilege Use" auditing.  Too noisy.
    3) Don't enable CrashOnAuditFail- turns a repudiation threat into a
    denial-of-service. (aka "Halt the system if unable to log security audits")
    4) Don't enable AuditBaseObjects- too noisy. (aka "Audit access to global
    system objects")
    5) Don't enable FullPrivilegeAuditing- too noisy.  (aka "Audit the use of
    the Backup & Restore Privilege")
    6) Don't enable failure auditing unless you have to (and by have to I mean
    that you have a plan of what to do with them).  Some failure audits are
    normal.  For instance, Explorer tries to open ACLs with full control, if
    that operation fails, an audit might be generated, but Explorer will know to
    re-try the operation with less access, and will disable the "apply" control
    in the ACL editor.  Additionally, failure auditing could be used as a
    denial-of-service attack against the log in some cases; I'll leave it to
    your imagination since posts to this list show up in Google searches.
    7) Don't audit for reads.  Too noisy.  If you must audit for reads, try to
    audit a single object rather than a set of objects.  For instance, if you
    want to audit whether someone installed Word from your share, audit
    WinWord.exe, not all the files on the share.
    8) Enable auditing on a test system that mirrors your production
    environment, to measure its impact.
    
    Hope this helps; as Rainer said, I need more information for a more detailed
    answer.
    
    Eric
    
    -----Original Message-----
    From: loganalysis-bouncesat_private
    [mailto:loganalysis-bouncesat_private] On Behalf Of Luis Toloza
    Sent: Wednesday, July 30, 2003 8:05 AM
    To: 'loganalysisat_private'
    Subject: [logs] Windows Logs Auditing
    
    Hi Eric,
    I'm sorry if I bother you with a question, but I do need to evaluate the
    impact over the network  of the activation of the auditting logs for the
    domain machines: I do need to answer questiomns like:
    do we need to buy new servers and workstations, do we need any new
    machines?, more hard drives?, do we need to buy  a software for the
    processing of the logs to obtain reports?...
    I know may be may question is not precisaly specific, but if can give me
    some help I'll be very glad to take it ;-)
    
    Waiting thankfully your response,
    
    Luis Toloza R.
    pf_ltolozaat_private
    Phone: (56)(2)670 29 10
    Fax: (56)(2)670 22 28
    
    
    
    
     
    ****************************************************************************
    ****
    ****************************************************************************
    ****
    "La información  contenida  en  esta  transmisión es confidencial y no puede
    ser usada o  difundida  por  personas  distintas  a su(s) destinatario(s).
    El uso no autorizado  de la información contenida en esta transmisión puede
    ser sancionado criminalmente de conformidad con la ley chilena. Si ha
    recibido esta transmisión por error, por favor destrúyala y notifique al
    remitente.
    Atendido  que  no  existe  certidumbre  que   el  presente   mensaje   no
    será  modificado  como  resultado  de su transmisión por correo
    electrónico, el Banco Central  de  Chile  no  será  responsable   si  el
    contenido  del mismo ha sido modificado"
    
    
    ********************************************************************************
    ********************************************************************************
    "La información  contenida  en  esta  transmisión es confidencial y no puede ser usada o  difundida  por  personas  distintas  a su(s) destinatario(s). El uso no autorizado  de la información contenida en esta transmisión puede ser sancionado criminalmente de conformidad con la ley chilena. Si ha recibido esta transmisión por error, por favor destrúyala y notifique al remitente.
    Atendido  que  no  existe  certidumbre  que   el  presente   mensaje   no   será  modificado  como  resultado  de su transmisión por correo  electrónico, el Banco Central  de  Chile  no  será  responsable   si  el  contenido  del mismo ha sido modificado"
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 09:38:51 PDT