Log Files
If intruders can modify log files, they can erase any traces of illegal activity. If intruders compromise a system and have permissions to modify log files, proving that the logs are valid evidence of an intrusion is difficult. Even if intruders don't modify the logs, these files can contain information that could lead to the compromise of additional systems. So, take extra precautions to protect log files.
Securing log files can be tricky. You want the System account—the user context of IIS—to be able to create Web logs, append data to them, and create new log directories when you add Web sites. The System account is the only account that should have Write access to these directories, and only the Administrator or the user who's responsible for managing log files or running Web statistics programs should be able to read Web logs.
The System account should be able to create files and directories but not modify existing files. To accomplish this, set two ACL settings for the LogFiles directory—one for subdirectories (containers) and one for files (objects).
First, right-click the log files directory, select Properties, then select the Security tab. Clear the Allow inheritable permissions from parent to propagate to this object option, then click Remove to give yourself a clean slate to work with. Click Advanced, click Add, then select the System account from the list. A dialog box will prompt you to set permissions. From the Apply onto drop-down list, select Files Only, then select the check box for the following permissions, as Figure 2 shows: Read Attributes, Create Folders /Append Data, Write Attributes, and Read Permissions.
Click OK, then click Add. Select the System account again and click OK. When the permissions dialog box appears, select This folder and subfolders from the Apply onto drop-down list. Select the following permissions: List Folder, Read Attribute, Create Files/Write Data, Create Folders/Append Data, Write Attributes, and Read Permissions.
Click OK, click Add again. Select the Administrator account (not the Administrators group). Select This folder, subfolders and files and select the following permissions: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Delete Subfolders and Files, Delete, and Read Permissions.
If other users will be managing log files, repeat the previous steps for each user. When you're finished, select the Reset permissions on all child objects and enable propagation of inheritable permissions check box.
By configuring these permissions, you essentially let the System account create log files and directories but not modify existing data. You also let only the administrator or designated users read and move log files, but you don't let those accounts modify logs.
Because both the System and Administrators accounts can modify permissions, carefully audit the access to the directory. If you're building a case against an intruder, you must be able to prove that the intruder didn't modify the files or change the permissions. Right-click the directory, select Properties, then select the Security tab. Click Advanced, then select the Auditing tab. Add an audit policy for the Everyone group. Audit successful use of the following permissions: Create Files/Write Data, Delete Subfolders and Files, Delete, Change Permissions, and Take Ownership.
To further monitor access to these files, you might also want to audit failed use of the following permissions: Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, Delete, and Change Permissions. With these permissions and audit settings in place, you can be confident that your log files haven't been modified, and you'll have a full audit record.
As you learn more about user roles and how they interact with the file system, you'll be able to protect your Web server without causing disruption to user applications. This process clearly takes effort and careful planning, but the creative use of permissions can build a Web server that's resilient to attack.
End of Article
Prev. page
1
2
3
[4]
next page -->
