SourceForge.net: Project Info - Enterprise Monitoring, Windows Systems
We had a problem to solve. How to effectively review Windows remote client Event Logs to make sure that our firewall and security policies were working. I learned the importance of reviewing security logs after I first used Windows 2000 TCP/IP filtering to limit access to our remote clients. This worked for most computers but failed whenever a DSL company added a internal modem. Basically the TCP/IP filtering only worked when all traffic used the LAN interface. I didn't like finding out about the security problems after someone was infected by a worm.
I looked into two different tools for polling Windows event logs. One method was using a syslog Windows client to send a UDP message whenever a event log message was generated. I was able to find GPL free license for the Windows client but not for the Windows server piece. However, I could always use a Linux machine for the server.
The biggest advantage of this method was it's use in the Unix/Linux world. I felt comfortable using old tried and true system enterprise logging and I really liked the idea that I could integrate some Linux technology into Windows. The biggest problem was that the security log messages would be pushed to the server whenever there was an issue. Now our remote clients connect to work through a VPN connection and are not always able to connect to the syslogd server. Apparently the messages would be serialized to easily show when information was missing from the server but I expected that the remote client would see that situation 40% of the time. I thought about sending the UDP messages over the Internet through our firewall, but realized that the messages would be unencrypted and able to be sniffed from anyone.
So in order to use syslog with Windows logging I would have to encrypt the UDP connection to a internet exposed server and look into the possibility of caching the syslog messages which was highly not recommended for problems with bandwidth when everybody started their morning shift.
The other option is working quite well for us. I ended up using Event Collector/Monitor from sourceforge because of the GPL license and the fact that it pulled the information from the remote clients. The Event Monitor project using the Windows admin$ share to copy the system log to a centralized server and then uses Perl to parse the contents into a SQL database (MS-SQL or MySQL). It uses a php front end to input the computer names and create search reports. It also has a filter system that is used to email an administrator when certain criteria are met. Currently, I have every warning, error, and security failure emailing my Exchange account which throws the alert into its own folder.
This software worked so well that I have included all of our in-house computers and servers. It was really useful for me to get an email for every error, although I'm starting to get too many emails and will probably create better filters. Now that I understand what errors I'm getting I think the more specific filter will work better than if I didn't get all errors sent to me.
Through this program, I have found out that there are more issues than I remembered with the client computers. I would see errors here and there when manually auditing the event log but I never was able to see patterns over all the computers. I realized because of this software that a software package is continuing to ask for more security privileges than I gave it. It didn't stop the program in any noticable way but now I have something to fix pro-actively.
I installed the Event Collector (Event Collector is the name of the Windows application that polls the clients) on my workstation. I used IIS, MySQL, and cygwin's perl package. The actual event collecting can use quite a bit of the processor but usually only when adding a new client that needs the entire log parsed.
Tuesday, August 10, 2004
Thursday, July 29, 2004
A Taste of Computer Security
A Taste of Computer Security
http://slashdot.org/article.pl?sid=04/07/29/1243200
This is supposed to be a good article on security that can be read from beginning to end.
http://slashdot.org/article.pl?sid=04/07/29/1243200
This is supposed to be a good article on security that can be read from beginning to end.
Removing MS Internet Explorer
Crackbaby.com - For The Twisted Little Kid in You!
My only question with the methods described is knowing how to update your computer from Microsoft's . I don't think that Firefox can run ActiveX scripts which is necessary.
My only question with the methods described is knowing how to update your computer from Microsoft's . I don't think that Firefox can run ActiveX scripts which is necessary.
Thursday, July 22, 2004
Creating a serial port for an internal modem
I went to the trouble of finding an internal 'hardware' modem that has all of the modem parts available to Linux without needing a special driver, however Debian and Knoppix did not discover it correctly. Here is how to correct that.
(This is all from memory from what I did last night. I have correctly done this with two systems but I had forgotten during the months between.)
First make sure that you need to do all of these steps. Run 'pppconfig' and create a new connection allow the computer to auto-detect the modem. If the only option is /dev/ttyS0 (the first external serial port) or if you try the other serial ports with no success (ttyS0-4) then you will need to add a new serial port. Look at 'man ttyS' for a mknod line that will start you off. I ran 'mknod -m 660 /dev/ttyS4 c 4 68'. Then 'chown root:tty /dev/ttyS4' to give the port the correct permissions.
Run 'ls /dev/ttyS*' to see what serial devices are installed on your computer. You can remove a serial device and recreate it but be careful. On Knoppix, I saw that ttyS0-3 was different thatn ttyS4-9. I ended up choosing to install the modem under the /dev/ttyS4 port.
Run 'lspci -v' to see what I/O address your computer gave to your internal modem. Find the modem in the list (You can use this command to narrow in on the port 'lspci -v | grep -A 10 -i modem') and look for 'I/O ports at'. Also note the irq listed under the Flags section (mine was irq 11). The serial connection will always start with 0x and have 4 hexidecimal digits after. Mine lcpci line was 'I/O ports at ccf0', therefore use 0xccf0 for the port address.
You can see how the other serial ports are described by running 'setserial /dev/ttyS[0-4]'. This will not change anything and will only show you what settings you want to emulate. Now run 'setserial /dev/ttyS4 uart 16550A port 0xccf0 irq 11'. If you read the 'man setserial' page, you will find out that UART has something to do with the serial protocol -- an infrared port is different than a modem port.
Now the computer should be able to recognize the modem also at /dev/ttyS4 when you run pppconfig and pon. Setserial should remember the settings the next time you reboot because it will save all ports that do not have a uart of unused or none listed. If it didn't work you need to run 'dpkg-reconfigure setserial' to set the setserial to remember after every reboot.
(This is all from memory from what I did last night. I have correctly done this with two systems but I had forgotten during the months between.)
First make sure that you need to do all of these steps. Run 'pppconfig' and create a new connection allow the computer to auto-detect the modem. If the only option is /dev/ttyS0 (the first external serial port) or if you try the other serial ports with no success (ttyS0-4) then you will need to add a new serial port. Look at 'man ttyS' for a mknod line that will start you off. I ran 'mknod -m 660 /dev/ttyS4 c 4 68'. Then 'chown root:tty /dev/ttyS4' to give the port the correct permissions.
Run 'ls /dev/ttyS*' to see what serial devices are installed on your computer. You can remove a serial device and recreate it but be careful. On Knoppix, I saw that ttyS0-3 was different thatn ttyS4-9. I ended up choosing to install the modem under the /dev/ttyS4 port.
Run 'lspci -v' to see what I/O address your computer gave to your internal modem. Find the modem in the list (You can use this command to narrow in on the port 'lspci -v | grep -A 10 -i modem') and look for 'I/O ports at'. Also note the irq listed under the Flags section (mine was irq 11). The serial connection will always start with 0x and have 4 hexidecimal digits after. Mine lcpci line was 'I/O ports at ccf0', therefore use 0xccf0 for the port address.
You can see how the other serial ports are described by running 'setserial /dev/ttyS[0-4]'. This will not change anything and will only show you what settings you want to emulate. Now run 'setserial /dev/ttyS4 uart 16550A port 0xccf0 irq 11'. If you read the 'man setserial' page, you will find out that UART has something to do with the serial protocol -- an infrared port is different than a modem port.
Now the computer should be able to recognize the modem also at /dev/ttyS4 when you run pppconfig and pon. Setserial should remember the settings the next time you reboot because it will save all ports that do not have a uart of unused or none listed. If it didn't work you need to run 'dpkg-reconfigure setserial' to set the setserial to remember after every reboot.
Monday, June 28, 2004
Windows 2000 Firewall
Windows 2000 Firewall
Here is a great website showing how to use Microsoft's IP Security Settings to create an effective firewall. I will be modifying the rules to include a firewall for all ingress Internet traffic and both ingress and egress traffic through a PPTP tunnel.
I had to permit TCP traffic on port 1723 for PPTP and permit Other 67 (GRE protocol). I then had to create a trusted network that allowed all traffic through.
I found this article that states the problems using Windows IPSec as a firewall tool. http://sinbad.zhoubin.com/read.html?board=Win&num=110
This Microsoft KB article will show how to disable the vulnerability through the registry. http://support.microsoft.com/default.aspx?scid=kb;en-us;811832
Here is a great website showing how to use Microsoft's IP Security Settings to create an effective firewall. I will be modifying the rules to include a firewall for all ingress Internet traffic and both ingress and egress traffic through a PPTP tunnel.
I had to permit TCP traffic on port 1723 for PPTP and permit Other 67 (GRE protocol). I then had to create a trusted network that allowed all traffic through.
I found this article that states the problems using Windows IPSec as a firewall tool. http://sinbad.zhoubin.com/read.html?board=Win&num=110
This Microsoft KB article will show how to disable the vulnerability through the registry. http://support.microsoft.com/default.aspx?scid=kb;en-us;811832
Subscribe to:
Posts (Atom)