Detecting server attacks can be a never-ending task of implementation, monitoring, testing, and then reimplementing new or updated methods. Servers, or any computer for that matter, can be attacked in several ways, and implementing a single detection method is impractical. For example, if you install a firewall to protect against external network attacks, the server is still vulnerable to internal network attacks, viruses, application flaws, or even physical theft of the server to name only a few. You should apply detection and prevention methods to all possible areas that might affect or come into contact with your servers. Table 13-3 displays possible attack avenues to your server and some basic recommendations to help detect such attacks against them. Table 13-3. Detecting AttacksAttack Type | Recommendation |
---|
Password guessing | Monitor and review security logs for login attempts. | Worms and viruses | Watch for inconsistent or unusual behavior from your server or anti-virus software warnings. | Application flaws (buffer overflows) | Be alert to programs crashing. | External network attacks | Review firewall Syslog entries or other log files for entries that look like probes or unusual traffic. Lastly, review IDS log files. | Internal network attacks | Review internal Event Viewer log files and the IDS Event Viewer for bad signatures. | Ping (ICMP) sweeps | Watch for IDS warning messages or monitor network traffic by hand to inspect for ICMP traffic anomalies. | Server file system | On Windows NTFS file systems, enable security auditing and monitor access to local files. | Physical access to the server room | Monitor maintenance logs and video cameras. | Backups | Monitor logs for missing backup tapes. |
Tip Microsoft contains several security tools that greatly assist in identifying weak areas within your organization. See http://www.microsoft.com/technet/Security/tools/default.mspx for tools such as Security Risk Self Assessment tool, which produces a detailed report with recommendations on your overall security environment. |