CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [227]
If you are running Windows 2003/2008, it is recommended that you start Event Viewer and right-click on the Security Log object. Choose Properties from the popup menu and change the Maximum Log Size entry to as large as you can afford and select Do Not Overwrite Events. Each time you audit the log entries (at least weekly is recommended), choose to manually clear the file once you are certain there are no alarms you should respond to.
The log files created by crucial network services such as DNS need to be routinely examined regularly. The DNS service, when running on Windows Server 2003/2008 for example, writes entries to the log file that can be examined using Event Viewer. Just as the size and overwrite options were set for the Security Log object, it is recommended those same actions be taken for the DNS Server logs as well.
A firewall, whether software or hardware, often creates log files the same as most other services when enabled. Given the importance of the firewall and its purpose, the entries written to those logs should be held in high esteem and evaluated regularly. These log files can be created anywhere a firewall is running, from a workstation to an appliance.
In Windows XP, for example, the firewall log and its settings can be accessed by opening Windows Firewall in the Control Panel and then choosing the Advanced tab. Beneath Security Logging, choose Settings and you can set such attributes as the size of the log file, and its name. To view the file, choose Save As, then find the file in the dialog box that opens, right-click on it and choose Open.
Most antivirus programs also create log files when they run that should be regularly checked. Not only do you want to verify that the program is running, but that the definition file(s) being used is current. Pay attention to the viruses that are found and deleted/quarantined, as well as any files that are being skipped.
Log files should be regularly checked from every antivirus program running, from the workstation to the server and you can educate users on how to routinely examine their own log files. With Sophos Anti-Virus, for example, users right-click on the icon that appears in their taskbar, and choose Open Sophos Anti-Virus from the popup menu. Next, they click Configure Sophos Anti-Virus and choose View log. Changes to the default logging settings are made by choosing Configure log and tweaking the settings that appear in the dialog box shown in Figure 8.11.
FIGURE 8.11 Configuring logging with Sophos Anti-virus
Reporting to Management
An audit should always conclude with a report to management. This report should outline any organizational strengths and weaknesses as they existed at the time of the audit. The audit should also explain any violations of policy, recommendations for improvement, and recommendations for the organization overall. This report is a vital part of the process, and it provides a mechanism that can be used to develop corrective action plans and updated policies.
There must always be one person who can gain access when things go awry. In the summer of 2008, a rogue network administrator in San Francisco was charged with resetting the passwords on all the city’s fiber switches and routers making them inaccessible to administrators. With all other administrators lacking the permission needed to change the passwords, the city was unable to control the backbone.
Access Control
The three primary methods of access control are Mandatory (MAC), Discretionary (DAC), and Role-Based (RBAC). A fourth method, Rule-Based Access Control (which also uses the RBAC acronym) is gaining in popularity. Each of these methods has advantages and disadvantages to the organization from a security perspective.
The method you choose will be greatly affected by your organization’s beliefs