[logs] Re: windows file system

• Previous message: Harlan Carvey: "[logs] Re: windows file system"
• In reply to: Harlan Carvey: "[logs] Re: windows file system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Sham,

If you have a Windows Server 2003 machine, install the "Security
Configuration Wizard" optional component.  Then search your drive for
the file "scwaudit.inf", typically in %windir%\security\msscw\kbs.

This is a template to detect tampering with Windows system files
(configuration and binaries), and is tuned to exclude noisy files.  It's
only appropriate for Windows Server 2003; never tested on anything else.
However from that template you should be able to develop your own.

Best regards,
Eric


-----Original Message-----
From: loganalysis-bounces+ericf=windows.microsoft.com@private
[mailto:loganalysis-bounces+ericf=windows.microsoft.com@private]
On Behalf Of Harlan Carvey
Sent: Friday, September 08, 2006 5:05 AM
To: sham ster; loganalysis@private
Subject: [logs] Re: windows file system

Sham,
 
> A quick question.
> If you where to monitor the windows system files
> (access ect) and exe's.
> >From a security point of view which ones would you
> monitor and why.
> Ive been to the usual places and cant seem to get a
> answer.

When you say "monitor", are you referring to enabling
auditing on objects, or process tracking via the Event
Log?

A great reference for files to monitor access to is a
listing of the files in dllcache.  Yes, these are
monitored by WFP, but the only time anything happens
is when you attempt to modify/delete a protected file.
 This is also true for wrapper Trojans, but not ADSs.

>From a security perspective, though, I'd be interested
in monitoring much more, to include ports that are
opened.  MS has a tool called PortReporter that may be
of use to you.

HTH,

Harlan

------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Harlan Carvey: "[logs] Re: windows file system"
• In reply to: Harlan Carvey: "[logs] Re: windows file system"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Sep 08 2006 - 12:59:09 PDT