12.3. Securing Windows NTOnce you have chosen a machine, you need to make sure that it has a reasonably secure operating system installation. The first steps in this process are the same as for any other operating system and were discussed in Chapter 10, "Bastion Hosts". They are:
12.3.1. Setting Up System Logs Under Windows NTUnder Windows NT, logging is done by the Event Logger, and logs are read with the Event Viewer. This poses a number of problems:
You can set up Windows NT so that it does not delete old items when the log fills. However, if you do so, it will simply stop logging items when the log fills, which is even worse for security. If you're really confident about your ability to keep the log small by hand, you can set the machine up so that if the log fills up, it will not only stop logging, it will also shut the machine down. This approach is very radical; it does not do a graceful shutdown but simply crashes, probably losing information in open files. On the other hand, as long as the machine isn't set to autoboot, it will make sure that you don't lose logging information.
If you are very careful, you can get an Event Logger set up that is relatively secure but that requires considerable maintenance. To do so, you'll need to configure the Event Logger for a large log that does not overwrite old events, have it shut down the machine if the log fills, turn off autobooting, and then regularly save the log to removable media and clear the logs. This still leaves you vulnerable to denial of service attacks and to attackers who modify the logs before you copy them. You can add some security by changing the location to which Event Logger writes and putting the log on write-once media.
To keep events from being overwritten, use the Event Viewer, go to the Log menu, select Log Settings, and select Do Not Overwrite Events (Clear Log Manually). To shut down the machine when the log fills up, set the registry key
to 1. To change the location where files are stored, look in:\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
You will find an entry for each of the three Windows NT logs (application, system, and security), each of which has a key named "File". Change the value of this key to change the files used to store event logs.\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
You are better advised to use an add-on product to copy events out of the Event Logger as they are logged. You can then let old events be deleted, since you'll be working from the other copies. icrosoft sells a program that turns events into SNMP traps as they are logged as part of the System Management Service; you can also get programs that will make syslog entries for events (see Chapter 11, "Unix and Linux Bastion Hosts", for more information about syslog). The Windows NT Resource Kit provides a utility called dumpel that will dump the event log to a text file, which can also be handy for saving event log information. None of these systems are perfect; they have a significant risk of losing or duplicating events. You will therefore want to protect the original event logs as well.
Although Microsoft does not provide tools for rotating event logs, there is a programming interface to the event logger that would allow you to write your own. If you do this, you should still leave the machine set to crash when the log fills, so that you are protected in case of rotation problems.
You will also want to be careful about the amount of logging you do. Logging takes a significant amount of effort under Windows NT, and logging large numbers of events can noticeably slow down a server, particular if you are running add-on software that requires every event to be logged twice. The auditing system can log immense amounts of data if you are incautious about what you turn on.
Copyright © 2002 O'Reilly & Associates. All rights reserved.