InstantForum.NET v4.1.4UltimateWindowsSecurity.com Forumhttp://forum.ultimatewindowssecurity.com/noreply@ultimatewindowssecurity.comSat, 31 Jul 2010 02:02:44 GMT20http://forum.ultimatewindowssecurity.com/Topic116-9-1.aspxAgreed. You must pare down members in local Administrators and the AD Enterprise Amdin, Domain Admins and Administrators to the bare minimum. It is possible but you have to use AD's delegationThu, 08 Jul 2010 09:32:30 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic116-9-1.aspxAs for arcsight connector agents being tamper proof I can assure you they are not.By virtue of relying on the windows event logs , anyone who can successfully modify the event logs without leaving a explicit audit trail on the system can trick the connector.The connector only grabs and parses what it thinks is there from the event logs.<br>As for the delegation of access and decreasing the amount of domain admins that you have, requires proper AD structure organising ,planning and maintaining, along with strong boundaries of responsibilities.The stronger and more strict the structure, the easier it is to work with delegation.Some companies might find they lack the internal fortitude to restructure their AD based on the fact they need to make everything more auditable and controllable.Mon, 28 Jun 2010 05:50:32 GMTdmcinnishttp://forum.ultimatewindowssecurity.com/Topic116-9-1.aspxThanks for all of the info. I'm still curious to know what the "tell-tale events that lead up to a change in system audit policy" might be. Can you share any insight? Or is that some Alert Logic secret sauce?Wed, 05 Aug 2009 19:05:03 GMTottermatonhttp://forum.ultimatewindowssecurity.com/Topic116-9-1.aspxYes you can control operations on the security log using the CustomSD registry value. See this article in my wiki: <A href="http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Manage-auditing-and-security-log">http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Manage-auditing-and-security-log</A>. Wed, 05 Aug 2009 15:34:39 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic116-9-1.aspxSEIM providers should be very careful about making any claims about their agent being tamper proof. The fact the agent is running on a computer where the admin has admin authority makes the agent subject to the so-called immutable laws of computer security <A href="http://technet.microsoft.com/en-us/library/cc722487.aspx">http://technet.microsoft.com/en-us/library/cc722487.aspx</A>. You can make the agent somewhat tamper resistant but no where close to tamper-proof. Wed, 05 Aug 2009 15:23:12 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic116-9-1.aspxMy last question pertained to the auditing component. However, pertaining to separation of duties, are there native capabilities in Win2k3 or Win2k8 to grant/deny specific permissions for changing audit policies and/or clearing the event logs? It would be beneficial to at least limit the number of administrators in the environment with these specific permissions, even if they could do just about anything else they wanted to. This would force them to do more work to execute their bad behavior and to cover their tracks, as they'd have to first add themself to the "Audit Gods" group before they could set to work. </P><P><FONT size=2>Or are there overlay "four eyes" products from Quest Software, etc. that can require two levels of approval for making changes to the audit policy or clearing the event log? Does Win2k8 have built-in "four eyes" approval capabilities--I thought I'd heard it might.</FONT>Wed, 05 Aug 2009 12:54:52 GMTottermatonhttp://forum.ultimatewindowssecurity.com/Topic116-9-1.aspxRandy:</P><P>I read your <EM>When Good Admins Go Bad</EM> whitepaper. I'm curious to know what the "tell-tale events that lead up to a change in system audit policy" might be.</P><P>Are these the only defenses against this type of abuse?</P><UL><LI>collecting and securing events in a non-domain controlled container as quickly as possible</LI><UL><LI>This might allow one to collect and secure the "audit policy changed" events before they can be erased.</LI><LI>This also raises an interesting question. Can one clear the event log without it resulting in an "audit log cleared" event, which must be cleared creating <EM>another</EM> "log cleared event", and so on?</LI></UL><LI>noticing gaps in the event stream, indicative of tampering</LI><LI>noticing other "tell-tale" signs of tampering within the logs in the absence of "audit policy changed" and "audit log cleared" events</LI></UL><P>Are there any other approaches with merit? I've heard of the SIEM vendor Arcsight claiming that their collection agents, placed on each host machine, can help mitigate the risk of this type of abuse, though I don't know their specific approach. Thanks.Wed, 05 Aug 2009 12:44:17 GMTottermatonhttp://forum.ultimatewindowssecurity.com/Topic116-9-1.aspxThis is a great question. <P>Most of the folks you mentioned don't really need to be full domain admins. Any tasks they need to perform in Active Directory can be delegated in a granular fashion using AD's delegation of control feature. It's also important to dedicated domain controllers to just being DCs; don't install databases or other applications servers on DCs. DB and application admins typically require admin authority to the operating system but on DCs that effectively makes you a Domain Admin. If you follow those to recommendations you can limit the number of people with Domain Admin authority to a handful. </P><P>For that small group of Domain Admin folks there are no preventive controls - only deterrent/detective controls in the form of a high integrity audit trail as you alluded to. To address the log overwrite (or tampering) issues you mentioned you need a log management solution implemented according to special requirements. For more information see my whitepaper "<A href="http://www.alertlogic.com/register/wp.php?cid=EYq6">When Good Admins Go Bad: The Critical Need for Log Management as a Deterrent/Detective Control</A>".Thu, 02 Jul 2009 06:57:44 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic116-9-1.aspx<FONT size=1>Hi,</FONT><P><FONT size=1>During the IT audit I have hit into practical problem asked by auditees - how we can practically organise the segregation of duty in MS Windows environmnet, so that administrators would not have access to top management file server, or i.e. their Exchange mail? Of course, SOD could be applied at least to different roles of admins (MS Exchange v.s. file server admin), but as they often need to be domain admins to do their regular job, I am not sure if chance to take priviledges is not a risk. Of course, turning on audit trail could be a way, but I believe this kind of activity will be under carpet within 6m.</FONT><P><FONT size=1>I was also thinking if ILP (Information leak protection) systems could not help them in this risk control?</FONT><P><FONT size=1>Thanks for any open ideas,</FONT><P><FONT size=1>Jiri<BR></FONT>Tue, 23 Jun 2009 10:03:54 GMTsulovsky