Presentation is loading. Please wait.

Presentation is loading. Please wait.

Control and Monitor Privileged Access to your Windows Servers Jörn Dierks, Götz Walecki.

Published byGyles McCarthy Modified over 9 years ago

Similar presentations

Presentation on theme: "Control and Monitor Privileged Access to your Windows Servers Jörn Dierks, Götz Walecki."— Presentation transcript:

1

2 Control and Monitor Privileged Access to your Windows Servers Jörn Dierks, Götz Walecki

3 Agenda The need to monitor IT-based change Typical approaches to monitoring systems How NetIQ approaches change monitoring How NetIQ compares to alternative approaches Demo Questions

4 CardSystems' Data Left Unsecured Kim Zetter | Wired Magazine | 22 June 2005 MasterCard International announced last Friday that intruders had accessed the data from CardSystems Solutions, a payment processing company based in Arizona, after placing a malicious script on the company's network. "Had they been following the rules and requirements, they would not have been compromised," Jones said. Dai Nippon Printing reports client data theft Reuters | 12 March 2007 TOKYO, March 12 (Reuters) - Japan's Dai Nippon Printing Co. said on Monday a former contract worker stole nearly 9 million pieces of private data on customers from 43 clients including Toyota Motor Corp. Dai Nippon, one of Japan's largest commercial printing companies, said the confidential information included names, addresses and credit card numbers intended for use in direct mailing and other printing services. Dai Nippon said the employee stole client data between May 2001 and March 2006 by copying information on to floppy disks and other recording media. TJX thieves had time to steal, trip up By Mark Jewell | AP | 13 April 2007 TJX warned in its recent regulatory filing against expecting too much from its investigation. "We believe that we may never be able to identify much of the information believed stolen" aside from the 45.7 million cards it knows about so far, the filing said. The way TJX detected the breach — by finding what the company calls "suspicious software" on its computer systems — is an indication not only of the hackers' skill in avoiding detection for so long but also holes in TJX's security, experts say. The Need to Monitor IT-based Change Hard Lessons Learned 5 Years Undetected | Theft by insider 8 Months Undetected | Internet-based theft 17 Months Undetected | Theft via wireless access These breaches occurred over long periods of time and took different threat vectors

5 Typical Approaches to Monitoring Change ApproachHow it works Native Object-Level File Auditing Auditing initially set at the system policy level, and then individual folders and files need to be configured to be audited. File Integrity Checkers Checker computes a checksum (hash) for every monitored file, and compares each subsequent run to the previous baseline. Kernel Shims Vendor software applied to core operating system files, (i.e., the kernel), which then monitors core system instructions to identify events

6 How NetIQ Approaches Change NetIQ Change Guardian for Windows What is it? –Detects the activities of, and changes implemented by, privileged-level users across your Windows Servers –A module of Security Manager that delivers real-time and historic audit of Windows servers Why is it important? –Delivers a high fidelity of change and activity information WITHOUT requiring native auditing across: Files & Folders [Create, Delete, Move to Recycle Bin, Rename, Move, Change Permissions, Change Ownership, Read] Shares [Create, Delete, Modify] Registry Keys [Create Key, Delete Key, Create Value, Delete Value, Modify Value] Processes [Started, Terminated]

7 Change Guardian for Windows Overview Windows Monitoring –Monitors system changes without Windows auditing enabled via File System Filter Driver –Monitors Files, Registry Keys, Processes and File Shares Event Notification Details: –Before and After values are supplied for each change –Changes are identified as Managed/Unmanaged –Similar changes are consolidated before being sent Managed/Unmanaged Forensic Reports Rules Configuration –Alert escalation based on rule –Enterprise rule deployment –Synchronization with Active Directory

8 Change Guardian for Windows Components File System Filter Driver – A kernel level driver that passively monitors messages in the OS based on filter rules –“A file system filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend functionality provided by the original target of the request.” (MSDN) Configuration Wizard – The console for configuring and deploying filters that the File System Filter Driver will use to collect change information. NetIQ Security Manager – CGW leverages Security Manager enterprise level three tier architecture to provide storage, secure communications and reporting.

9 9 Change Guardian for Windows Architecture

10 Advantages of a File System Filter Driver Based on supported API from Microsoft –Uses an industry supported file system filter driver (FSFD) that removes unnecessary risks to system availability –FSFD approach drastically reduces server utilization and improves system performance CGW is notified of an event as it is in progress –Able to produce the values of the change both before and after the change occurs –Real Time Monitoring Who did it, increased fidelity Events can be consolidated before sending –Noise Reduction Does not require native auditing

11 Configuration Single Wizard allows you to create filters for: –Files, File Shares, Registry Keys and Processes Rules can be restricted by: –Users / Groups (local or domain level) –Computer –Time Filter Deployment wizard –Synchronizes with Active Directory to maintain group membership –Publishes rules to the enterprise –Automatically determines which rules apply to a computer

12 Leveraging NetIQ Security Manager Events are consolidated into the Log Manager along with the rest of your data Events are normalized to IDMEF format Secure fault tolerant communication Enterprise Deployment Wizard Forensic and Trend Reporting Event Correlation

13 Native Object-Level File Auditing Definition – Auditing set at the system policy level via object access, for folders and files that need to be audited How CGW compares: –Clearly states what has occurred on the system –Provides before and after values for events –Consolidates events to reduce noise –Central configuration of auditing for the enterprise –Better visibility into the details of the change –Lightweight solution

14 Native Object Access Example: Native events when writing to a file with Notepad Object Open: Object Server: Security Object Type: File Object Name: C:\test\test.txt New Handle ID: 120 Operation ID: {0,33974} Process ID: 2152772960 Primary User Name: Administrator Primary Domain: DOMAIN Primary Logon ID: (0x0,0x19E5) Client User Name: - Client Domain: - Client Logon ID: - Accesses READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes Privileges -

15 File Integrity Checkers Definition - Checker computes and stores a checksum (hash) and META information for every monitored file, and compares each subsequent run to the previous baseline. How CGW compares: –Does not require cache of file data to deliver before and after values –Changes are tracked in real time instead of a scheduled audit –Enterprise rules based configuration

16 Kernel Shims Definition - Vendor software applied to core operating system files, (i.e., the kernel), which then monitors core system instructions to identify events How CGW compares: –CGW is based on a supported API from Microsoft –CGW is completely passive in how it monitors changes –Dramatically reduced risk of Blue Screening

17 Additional Features Managed / Unmanaged event classification –Specify AD users authorized to make changes –Integration to Change Administrator, automatically turns on monitoring for connected sessions Alert Escalation –Based on rule definition –Automated response

18 Why NetIQ Change Guardian for Windows? Provides powerful, real-time change monitoring –Detects changes across files and directories, shares, registry entries, and system processes Eliminates the need for native object-level auditing –Uses an industry supported file system filter driver (FSFD) that removes unnecessary risks to system availability –FSFD approach drastically reduces server utilization and improves system performance Validates and enforces change control processes –Categorizes changes as “managed” versus “unmanaged” –Identifies where change controls may have been circumvented Centrally records and audits all changes –Consolidates and archives change events from across the enterprise for subsequent analysis –Enables detailed reporting and analysis to identify trends and perform in-depth root-cause analysis Delivers comprehensive change reporting –Captures pre- and post-change values –Provides change reports based on one or more users or computers Works with a broader solution for Windows change control –Extends the award-winning NetIQ Security Manager platform –Augments NetIQ Change Administrator for Windows, dynamically monitoring administrative sessions and enhancing administrator activity reporting

19 Demo Change Guardian for Windows

20 Thank you! Q & A

21

Download ppt "Control and Monitor Privileged Access to your Windows Servers Jörn Dierks, Götz Walecki."

Similar presentations

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
Donnie Hamlett Technology Specialist Microsoft Corporation Microsoft Services for NetWare 5.0 Overview Overview Directory Synchronization Services Directory.

Donnie Hamlett Technology Specialist Microsoft Corporation Microsoft Services for NetWare 5.0 Overview Overview Directory Synchronization Services Directory.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 11: Monitoring Server Performance.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.

Chapter 11 - Monitoring Server Performance1 Ch. 11 – Monitoring Server Performance MIS 431 – created Spring 2006.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Maintaining Windows Server 2008 File Services

Maintaining Windows Server 2008 File Services

Similar presentations

Ads by Google