Control and Monitor Privileged Access to your Windows ServersControl and Monitor Privileged Access to your Windows Servers

Jörn Dierks, Götz WaleckiJörn Dierks, Götz Walecki

Agenda

• The need to monitor IT-based change• Typical approaches to monitoring systems• How NetIQ approaches change monitoring• How NetIQ compares to alternative

approaches• Demo• Questions

CardSystems' Data Left UnsecuredKim Zetter | Wired Magazine | 22 June 2005

MasterCard International announced last Friday that intruders had accessed the data from CardSystems Solutions, a payment processing company based in Arizona, after placing a malicious script on the company's network.

"Had they been following the rules and requirements, they would not have been compromised," Jones said.

Dai Nippon Printing reports client data theftReuters | 12 March 2007

TOKYO, March 12 (Reuters) - Japan's Dai Nippon Printing Co. said on Monday a former contract worker stole nearly 9 million pieces of private data on customers from 43 clients including Toyota Motor Corp.

Dai Nippon, one of Japan's largest commercial printing companies, said the confidential information included names, addresses and credit card numbers intended for use in direct mailing and other printing services.

Dai Nippon said the employee stole client data between May 2001 and March 2006 by copying information on to floppy disks and other recording media.

TJX thieves had time to steal, trip upBy Mark Jewell | AP | 13 April 2007

TJX warned in its recent regulatory filing against expecting too much from its investigation. "We believe that we may never be able to identify much of the information believed stolen" aside from the 45.7 million cards it knows about so far, the filing said.

The way TJX detected the breach — by finding what the company calls "suspicious software" on its computer systems — is an indication not only of the hackers' skill in avoiding detection for so long but also holes in TJX's security, experts say.

The Need to Monitor IT-based Change Hard Lessons Learned

5 Years Undetected | Theft by insider5 Years Undetected | Theft by insider

8 Months Undetected | Internet-based theft8 Months Undetected | Internet-based theft

17 Months Undetected | Theft via wireless access17 Months Undetected | Theft via wireless access

These breaches occurred over long periods of time and took different threat vectors

These breaches occurred over long periods of time and took different threat vectors

Typical Approaches to Monitoring Change

Approach How it works

Native Object-Level File Auditing

Auditing initially set at the system policy level, and then individual folders and files need to be configured to be audited.

File Integrity Checkers Checker computes a checksum (hash) for every monitored file, and compares each subsequent run to the previous baseline.

Kernel ShimsVendor software applied to core operating system files, (i.e., the kernel), which then monitors core system instructions to identify events

How NetIQ Approaches ChangeNetIQ Change Guardian for Windows

• What is it?– Detects the activities of, and changes

implemented by, privileged-level users across your Windows Servers

– A module of Security Manager that delivers real-time and historic audit of Windows servers

• Why is it important?– Delivers a high fidelity of change and

activity information WITHOUT requiring native auditing across:

• Files & Folders [Create, Delete, Move to Recycle Bin, Rename, Move, Change Permissions, Change Ownership, Read]

• Shares [Create, Delete, Modify]• Registry Keys [Create Key, Delete Key, Create

Value, Delete Value, Modify Value]• Processes [Started, Terminated]

Change Guardian for WindowsOverview

• Windows Monitoring– Monitors system changes without Windows auditing enabled

via File System Filter Driver– Monitors Files, Registry Keys, Processes and File Shares

• Event Notification Details:– Before and After values are supplied for each change– Changes are identified as Managed/Unmanaged – Similar changes are consolidated before being sent

• Managed/Unmanaged Forensic Reports• Rules Configuration

– Alert escalation based on rule– Enterprise rule deployment– Synchronization with Active Directory

Change Guardian for WindowsComponents

• File System Filter Driver – A kernel level driver that passively monitors messages in the OS based on filter rules– “A file system filter driver intercepts requests targeted at a file

system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend functionality provided by the original target of the request.” (MSDN)

• Configuration Wizard – The console for configuring and deploying filters that the File System Filter Driver will use to collect change information.

• NetIQ Security Manager – CGW leverages Security Manager enterprise level three tier architecture to provide storage, secure communications and reporting.

9

Change Guardian for Windows Architecture

Monitored Server

CG Programmable Provider Plugin

SM Agent

SM Central Computer

LM Config LM SummaryDaily Log DBsEvents

OnePoint

Alerts

SM Configuration Wizard

CG PagesConfig

Co

nfig

Config

Eve

nts

Da

ta

SM Analysis Console

CG Reports

Data

CG Service- Poll Change Administrator- Expand SM Computer Groups

Config

File System Filter Driver

File System Registry Process

Config Registry

Change

IOCTL

Co

nfig

Eve

nts C

onf

ig

Advantages of a File System Filter Driver

• Based on supported API from Microsoft– Uses an industry supported file system filter driver (FSFD) that

removes unnecessary risks to system availability– FSFD approach drastically reduces server utilization and improves

system performance

• CGW is notified of an event as it is in progress– Able to produce the values of the change both before and after

the change occurs– Real Time Monitoring

• Who did it, increased fidelity• Events can be consolidated before sending

– Noise Reduction

• Does not require native auditing

Configuration

• Single Wizard allows you to create filters for:– Files, File Shares, Registry Keys and Processes

• Rules can be restricted by:– Users / Groups (local or domain level)– Computer– Time

• Filter Deployment wizard– Synchronizes with Active Directory to maintain group

membership– Publishes rules to the enterprise– Automatically determines which rules apply to a computer

Leveraging NetIQ Security Manager

• Events are consolidated into the Log Manager along with the rest of your data

• Events are normalized to IDMEF format • Secure fault tolerant communication• Enterprise Deployment Wizard• Forensic and Trend Reporting• Event Correlation

Native Object-Level File Auditing

• Definition – Auditing set at the system policy level via object access, for folders and files that need to be audited

• How CGW compares:– Clearly states what has occurred on the system– Provides before and after values for events– Consolidates events to reduce noise– Central configuration of auditing for the enterprise– Better visibility into the details of the change– Lightweight solution

Native Object AccessExample: Native events when writing to a file with Notepad

Object Open: Object Server: Security Object Type: File Object Name: C:\test\test.txt New Handle ID: 120 Operation ID: {0,33974} Process ID: 2152772960 Primary User Name:

Administrator Primary Domain: DOMAIN Primary Logon ID:

(0x0,0x19E5) Client User Name: - Client Domain: - Client Logon ID: -

Accesses READ_CONTROL

SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or

AddSubdirectory or CreatePipeInstance)

ReadEA WriteEA ReadAttributes WriteAttributes Privileges -

File Integrity Checkers

• Definition - Checker computes and stores a checksum (hash) and META information for every monitored file, and compares each subsequent run to the previous baseline.

• How CGW compares:– Does not require cache of file data to deliver before and

after values– Changes are tracked in real time instead of a scheduled

audit– Enterprise rules based configuration

Kernel Shims

• Definition - Vendor software applied to core operating system files, (i.e., the kernel), which then monitors core system instructions to identify events

• How CGW compares:– CGW is based on a supported API from Microsoft– CGW is completely passive in how it monitors changes– Dramatically reduced risk of Blue Screening

Additional Features

• Managed / Unmanaged event classification– Specify AD users authorized to make changes– Integration to Change Administrator, automatically turns

on monitoring for connected sessions

• Alert Escalation– Based on rule definition– Automated response

Why NetIQ Change Guardian for Windows?

• Provides powerful, real-time change monitoring

– Detects changes across files and directories, shares, registry entries, and system processes

• Eliminates the need for native object-level auditing

– Uses an industry supported file system filter driver (FSFD) that removes unnecessary risks to system availability

– FSFD approach drastically reduces server utilization and improves system performance

• Validates and enforces change control processes

– Categorizes changes as “managed” versus “unmanaged”

– Identifies where change controls may have been circumvented

• Centrally records and audits all changes

– Consolidates and archives change events from across the enterprise for subsequent analysis

– Enables detailed reporting and analysis to identify trends and perform in-depth root-cause analysis

• Delivers comprehensive change reporting

– Captures pre- and post-change values

– Provides change reports based on one or more users or computers

• Works with a broader solution for Windows change control

– Extends the award-winning NetIQ Security Manager platform

– Augments NetIQ Change Administrator for Windows, dynamically monitoring administrative sessions and enhancing administrator activity reporting

DemoDemo

Change Guardian for WindowsChange Guardian for Windows

Thank you!Thank you!

Q & AQ & A