After you lock down your Web server, how do you make sure it stays locked down? Inadvertently misconfiguring or disabling a security feature while administering a server is, unfortunately, easy to do. And installing updates and software can reenable services or features that you've disabled for security reasons. Therefore, recognizing changes to your Web server as soon as possible is important.
To detect changes, you can use System Scanner 1.1, a Microsoft Windows 2000 Server Resource Kit utility. This host-based security scanner performs several vulnerability checks, including baseline comparisons in which Microsoft IIS detects changes to processes, services, shares, files, users, and groups. After you secure your Web server, you can use System Scanner to take a snapshot of the server configurations, then compare new scans against the baseline snapshot to identify changes. Unlike running a security template in analyze mode, System Scanner sees changes to files' contents and attributes.
Microsoft developers wrote System Scanner 1.1 for Windows NT, but its baseline comparison feature works great on Win2K. To make baseline comparisons, System Scanner uses policies. A policy defines which checks System Scanner should perform and the correct value for each check. After you create a policy, System Scanner uses that policy to scan the computer and create a baseline with which to compare future scans. System Scanner saves scan results to an internal database and provides several reports, including the Vulnerabilities, Service, Trend, and Differential reports. The Vulnerabilities report is the simplest way to receive notification of important system changes. You can even use a script to check this report for you and send you an email-message notification about the results. Let's take a closer look at how to use System Scanner, including how to install it, create a policy, run scans, and use a script.
Installing System Scanner
To install System Scanner, load the resource kit CD-ROM and run sysscansetup.exe, which is in the \apps\systemscanner directory. The System Scanner Installation Wizard will appear. Follow the wizard's instructions, accepting all the defaults. When the wizard asks whether it should install System Scanner as an agent, click Yes.
System Scanner doesn't typically create a shortcut on the Start menu. To launch the program, go to the \%systemdrive%\programfiles\iss\sysscan\bin folder and double-click syscan.exe.
Creating a Policy
After you install System Scanner, you need to create a policy. To do so, select Policy, New to launch the New Policy Wizard. In the opening dialog box, the wizard prompts you for the name of the policy. Enter DetectChanges in the text box, then select the Let me choose all settings for myself option and click Next.
In the next dialog box, expand the Baselines folder in the left pane. As Figure 1 shows, the folder contains seven types of scans for which System Scanner can create a baseline. Selecting a check box in the left pane brings up scan options in the right pane. The following briefly describes the seven types of scans and the configuration options they offer.
Registry Scan. Registry Scan tracks changes to registry keys and values. I had trouble with System Scanner reporting false positives on this type of scan. Therefore, I recommend that you leave the Registry Scan check box cleared until you have time to experiment with this feature and make sure it works in your environment.
File Scan. File Scan tracks changes to files. After you select the File Scan check box, you need to specify what to track on the General, Directories, and Extensions tabs in the right pane. On the General tab, you specify the data to track. For example, you can track changes to a file's attributes, contents, ownership, and permissions. On the Directories tab, you control which folders to track, and on the Extensions tab, you specify the types of files to track in those directories. By default, System Scanner scans .bas, .class, .cpl, .dll, .drv, .exe, .ocx, .pl, .scr, and .vxd files.
Which folders, file types, and data types should you track on your Web server? One obvious folder to track is the folder in which you store your Web site's static and dynamic content files, including .html, .gif, and .asp files. By default, this folder is inetpub. You'll want to know whenever someone changes the files' attributes, contents, ownership, or permissions. A change to any of this data might indicate that someone is tampering with your site. You might also want to monitor .exe and .dll files in %systemroot% and any important .ini or other configuration file types that aren't updated by the system's day-to-day activities.
You can be pretty liberal with which directories you track because within those folders, System Scanner tracks only those files selected on the Extensions tab. However, don't track databases, logs, or other file types that constantly change; otherwise, System Scanner will report a vulnerability every time you run a scan.
Services. By selecting the Services check box, you can configure System Scanner to track application (e.g., FTP, RRAS, Schedule) and driver services. Tracking application services is useful because intruders can use these services as doorways into the server. Because drivers run as a SYSTEM account, intruders can use them to compromise computers by loading a rogue driver. Therefore, you should select both the Application Services and Driver Services check boxes.
Processes. If you select the Processes check box, System Scanner detects changes to programs that have been configured to automatically start. Catching changes to startup processes is important because intruders who install back doors and Trojan horses often configure the system to automatically start the malicious attack every time a user logs on or the system restarts. To detect changes to startup programs, System Scanner checks the
- Common Startup folder
- Startup folder for the current user
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry subkey
- HKEY_CURRENT_USER\Software\
Microsoft\Windows\CurrentVersion\Run registry subkey
- HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows registry subkey's load value
- HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows registry subkey's run value
These locations aren't all the places you can configure a startup process in Win2K, but selecting them can't hurt.
User Scan. User Scan checks new, deleted, and changed user accounts; changes to the groups to which a user belongs; logon information (e.g., logon script, home directory); RAS dial-in access; and call-back number and user rights. User Scan also catches other changes, such as disabled user accounts that have been reenabled. I recommend that you select all the User Scan check boxes. These checks are valuable because intruders often create user accounts for future access. You definitely want to know when someone grants a user account the Act as part of the operating system or Take ownership of files and folders right. These checks are also valuable if you create a user account to give someone temporary access but forget to delete it later as you had intended.
Group Scan. Group Scan detects any user-right assignment changes to groups and any group-membership changes. Both of these checks are important. A change in group membership—for example, if you mistakenly add a user to the Administrators group—can greatly affect security.
Prev. page
[1]
2
next page 
