Upgrading and Repairing Networks

Chapter 43. Auditing and Other Monitoring Measures

SOME OF THE MAIN TOPICS IN THIS CHAPTER ARE

Unix and Linux Systems 829

Configuring Windows NT 4.0 Auditing Policies 832

Configuring Windows 2000 and Windows Server 2003 Auditing Policies 836

Auditing Windows XP Professional Computers 845

Novell Security 846

NetWare Auditing Solutions 848

Security for an individual computer system or for the network as a whole requires a two-pronged approach. First you must try to ensure that all applications and data are secured against unauthorized usage. This can mean anything from setting up and enforcing a good password policy to using the access mechanisms (such as resource permissions) provided by the operating system or network software to secure resources or to restrict user activity (by selectively granting or denying rights). However, no matter how good you are at this before-the-fact approach to preventing security breaches, it's almost impossibleshort of taking a system off the network and locking it in a room with a guard outsideto be absolutely sure that the system is totally secure. If you are a genius and make use of all the rights and permissions mechanisms at your disposal to secure a system (much less the entire network), an application bug or a disgruntled employee can still compromise a system.

Because you can never be certain that you've covered all your bases, it's also necessary that you follow up on your security configuration by monitoring the activities of the system. This chapter discusses the second part of securing your system: auditing techniques.

This second approach to securing the network is an important one. You should use all practical auditing features to record access to resources and to set up a policy for reviewing the data gathered on a regular basis. The degree to which you will find it necessary to gather information using the various utilities that an operating system provides depends on how important the data is on a system, or whether the system provides access to the network from the Internet. During normal operations, if you were to enable every single type of event auditing on a Windows NT/2000 or 2003 Server, you would end up with a very slow response time and with more data than you could possibly review daily. However, you can strike a compromise, depending on the particular system, and set up auditing that can be used to sufficiently record system activities and increase your audited events during times when you suspect that something might be awry.

Every major server operating system in use in a business environment today that is connected to a network has the capability to set up auditing for many events. Don't expect to find these capabilities with older client operating systems such as Windows 95 or 98. If you are still using these operating systems, it's time for an upgrade.

But for most operating systems, you can keep track of file and printer accesses, user logins/logouts, and other information that gives you the who, where, what, and when information you'll need for researching when you have reason to believe that a security problem exists. The methods of auditing and the tools used to exploit this data depend on the network or computer operating system. Because most networks are hybrids that have multiple operating systems, it's a good idea to have an employee who is skilled in each OS environment, intimately familiar with the peculiarities of each system.