Chapter 47. Auditing and Other Monitoring Measures


SOME OF THE MAIN TOPICS IN THIS CHAPTER ARE

Unix and Linux Systems

Configuring Windows NT 4.0 Auditing Policies

Configuring Windows 2000 and Windows 2003 Auditing Policies

Auditing Windows XP Professional Computers

Novell Security

NetWare 6 Advanced Audit Service

Security for an individual computer system or for the network as a whole requires a two-pronged approach. First you must try to ensure that all applications and data are secured against unauthorized usage. This can mean anything from setting up and enforcing a good password policy to using the access mechanisms (such as resource permissions) provided by the operating system or network software to secure resources or to restrict user activity (by selectively granting or denying rights). However, no matter how good you are at this before-the-fact approach to preventing security breaches, it's almost impossible ”short of taking a system off the network and locking it in a room with a guard outside ”to be absolutely sure that the system is totally secure. If you are a genius and make use of all the rights and permissions mechanisms at your disposal to secure a system (much less the entire network), an application bug or a disgruntled employee can still compromise a system.

Because you can never be certain that you've covered all your bases, it's also necessary that you follow up on your security configuration by monitoring the activities of the system. This chapter discusses the second part of securing your system: auditing techniques.

Note

For information about the mechanisms you can use to try to secure a computer and the network in the first place, see Chapter 43, "Rights and Permissions." You should be sure that you understand how to protect your system using the built-in security measures so that you will have less auditing data to wade through when you are trying to determine whether your security measures are working.

This second approach to securing the network is an important one. You should use all practical auditing features to record access to resources and to set up a policy for reviewing the data gathered on a regular basis. The degree to which you will find it necessary to gather information using the various utilities that an operating system provides depends on how important the data is on a system, or whether the system provides access to the network from the Internet. During normal operations, if you were to enable every single type of event auditing on a Windows NT/2000 or 2003 Server, you would end up with a very slow response time and with more data than you could possibly review daily. However, you can strike a compromise, depending on the particular system, and set up auditing that can be used to sufficiently record system activities and increase your audited events during times when you suspect that something might be awry.

Tip

Security issues are always a compromise. You can't lock every door, secure every file or directory, much less prevent users from misusing the system. So be careful to choose the items you monitor. If you suspect that a security incident has occurred, you can then decide to audit a wider range of events for the time required to determine the cause of a security breach. If, however, you operate in a highly secure environment where any security breach can cause damage that cannot be tolerated, then you might want to choose to audit a much wider range of events. In that case, you should configure servers with sufficient storage capacity to store logged event records, and assign one or more of your staff to review the logs daily.

Every major server operating system in use in a business environment today that is connected to a network has the capability to set up auditing for many events. Don't expect to find these capabilities with older client operating systems such as Windows 95 or 98. If you are still using these operating systems, it's time for an upgrade.

But for most operating systems, you can keep track of file and printer accesses , user logins/logouts, and other information that gives you the who, where, what, and when information you'll need for researching when you have reason to believe that a security problem exists. The methods of auditing and the tools used to exploit this data depend on the network or computer operating system. Because most networks are hybrids that have multiple operating systems, it's a good idea to have an employee who is skilled in each OS environment, intimately familiar with the peculiarities of each system.



Upgrading and Repairing Networks
Upgrading and Repairing Networks (5th Edition)
ISBN: 078973530X
EAN: 2147483647
Year: 2003
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net