Menu
Is free
registration
home  /  Installation and configuration/ Automated system for auditing (monitoring) user actions. User activity audit Leak prevention during preparation phase

An automated system for auditing (monitoring) user actions. User activity audit Leak prevention during preparation phase

Sometimes events happen that require us to answer a question "who did this?" This can happen "rarely, but aptly", so you should prepare for the answer to the question in advance.

Almost everywhere there are design departments, accounting departments, developers and other categories of employees working together on groups of documents stored in a public (Shared) folder on a file server or on one of the workstations. It may happen that someone deletes an important document or directory from this folder, as a result of which the work of the whole team may be lost. In this case, several questions arise before the system administrator:

    When and what time did the problem occur?

    Which is the closest to this time backup should I recover my data?

    Maybe there was system failure that can happen again?

Windows has a system Audit, allowing you to track and log information about when, by whom and with the help of which program the documents were deleted. By default, Auditing is not enabled - tracking itself requires a certain percentage of the system's power, and if you record everything in a row, the load will become too large. Moreover, not all user actions may interest us, therefore the Audit policies allow us to enable tracking of only those events that are really important to us.

Auditing system is built into all operating systems MicrosoftWindowsNT: Windows XP / Vista / 7, Windows Server 2000/2003/2008. Unfortunately, in systems of the series Windows Home the audit is buried deep and is too difficult to customize.

What do you need to customize?

To enable auditing, log in with administrator rights to the computer that provides access to shared documents and run the command StartRungpedit.msc. In the Computer Configuration section, expand the folder Windows SettingsSecurity SettingsLocal PoliciesAudit Policies:

Double click on policy Audit object access (Object Access Audit) and select the checkbox Success. This parameter enables a mechanism for tracking successful access to files and registry. Indeed, we are only interested in successful attempts to delete files or folders. Enable Auditing only on computers directly on which tracked objects are stored.

Simply enabling the Audit policy is not enough, we also need to specify which folders to track access. Usually such objects are folders of shared (shared) documents and folders with production programs or databases (accounting, warehouse, etc.) - that is, resources with which several people work.

It is impossible to guess in advance who will delete the file, therefore, tracking is indicated for Everyone. Successful attempts to delete tracked objects by any user will be logged. Call the properties of the required folder (if there are several such folders, then all of them in turn) and on the tab Security → Advanced → Auditing add subject tracking Everyone its successful access attempts Delete and Delete Subfolders and Files:


A lot of events can be logged, so you should also adjust the size of the log Security(Security) in which they will be recorded. For
run this command StartRuneventvwr. msc. In the window that appears, call the properties of the Security log and specify the following parameters:

    Maximum Log Size = 65536 KB(for workstations) or 262144 KB(for servers)

    Overwrite events as needed.

In fact, these figures are not guaranteed to be accurate, but are selected empirically for each specific case.

Windows 2003/ XP)?

Click on StartRuneventvwr.msc Security. ViewFilter

  • Event Source: Security;
  • Category: Object Access;
  • Event Types: Success Audit;
  • Event ID: 560;


Review the list of filtered events, noting the following fields within each record:

  • ObjectName. The name of the folder or file you are looking for;
  • ImageFileName. The name of the program with which the file was deleted;
  • Accesses. The set of requested rights.

The program can request several types of access from the system at once - for example, Delete+ Synchronize or Delete+ Read_ Control. A significant right for us is Delete.


So, who deleted the documents (Windows 2008/ Vista)?

Click on StartRuneventvwr.msc and open the log for viewing Security. The log can be filled with events that are not directly related to the problem. Right-click on the Security log and select ViewFilter and filter the view by the following criteria:

  • Event Source: Security;
  • Category: Object Access;
  • Event Types: Success Audit;
  • Event ID: 4663;

Take your time to interpret all deletions as malicious. This function is often used when routine work programs - for example, by executing the command Save(Save), package programs MicrosoftOffice first create a new temporary file, save the document to it, and then delete previous version file. Likewise, many database applications first create a temporary lock file on startup. (. lck), then remove it when exiting the program.

In practice, I've also encountered malicious user behavior. For example, a conflicted employee of a certain company, upon dismissal from his job, decided to destroy all the results of his work by deleting the files and folders to which he was related. Events of this kind are clearly visible - they generate tens, hundreds of entries per second in the security log. Of course, recovering documents from ShadowCopies (Shadow Copies) or a daily automatically created archive is not difficult, but at the same time I could answer the questions "Who did this?" and "When did this happen?"

Annotation: The final lecture provides final recommendations for implementation. technical means protection of confidential information, the characteristics and principles of operation of InfoWatch solutions are discussed in detail

InfoWatch software solutions

The purpose of this course is not a detailed acquaintance with the technical details of the work of InfoWatch products, therefore, we will consider them from the technical marketing side. InfoWatch products are based on two fundamental technologies - content filtering and auditing of user or administrator actions in the workplace. Also an integral part of the complex InfoWatch solution is a repository of information that has left the information system and a unified internal security management console.

Content filtering of information movement channels

The main distinguishing feature of InfoWatch content filtering is the use of a morphological kernel. Unlike traditional signature filtering, InfoWatch content filtering technology has two advantages - insensitivity to elementary encoding (replacing one character with another) and higher performance. Since the kernel does not work with words, but with root forms, it automatically cuts roots that contain mixed encodings. Also, working with roots, of which there are less than ten thousand in each language, and not with word forms, of which there are about a million in languages, allows you to show significant results on rather unproductive equipment.

Audit of user actions

To monitor user actions with documents on a workstation, InfoWatch offers several interceptors in one agent on a workstation - interceptors for file operations, print operations, operations within applications, operations with attached devices.

Repository of information that has left the information system through all channels.

InfoWatch offers a repository of information that has left the information system. Documents passed through all channels leading to the outside of the system - e-mail, Internet, print and removable media, are saved in the * storage application (until 2007 - the Traffic Monitor Storage Server) indicating all attributes - name and position of the user, his electronic projections (IP-address, account or postal address), date and time of the operation, name and attributes of documents. All information is available for analysis, including content analysis.

Associated actions

The introduction of technical means of protecting confidential information seems to be ineffective without the use of other methods, primarily organizational. We have already discussed some of them above. Now let's dwell in more detail on other necessary actions.

Behavior patterns of violators

Having deployed a system for monitoring actions with confidential information, in addition to increasing functionality and analytical capabilities, it is possible to develop in two more directions. The first is the integration of protection systems against internal and external threats. Incidents of recent years show that there is a distribution of roles between internal and external attackers, and the combination of information from monitoring systems of external and internal threats will make it possible to detect the facts of such combined attacks. One of the points of contact between external and internal security is the management of access rights, especially in the context of simulating industrial necessity to increase the rights of disloyal employees and saboteurs. Any requests for access to resources that are not stipulated by the official duties should immediately include a mechanism for auditing actions with this information. It is even safer to solve suddenly arisen problems without opening access to resources.

Let's take a real life example. The system administrator received an application from the head of the marketing department to open access to the financial system. An assignment was attached as a justification for the application general director for marketing research of the processes of purchasing goods produced by the company. Since the financial system is one of the most protected resources and permission to access it is given by the CEO, head of department information security wrote on the application alternative solution- do not give access, but upload anonymized (without specifying clients) data to a special database for analysis. In response to the objections of the chief marketer that it was inconvenient for him to work this way, the director asked him a head-on question: "Why do you need the names of clients - do you want to merge the database?" -after that everyone went to work. Whether this was an attempt to organize an information leak, we will never know, but whatever it was, the corporate financial system was protected.

Preventing leaks during the preparation phase

Another direction in the development of a monitoring system for internal incidents with confidential information is the construction of a leak prevention system. The algorithm of operation of such a system is the same as in solutions for intrusion prevention. First, a model of the intruder is built, according to which a "violation signature" is formed, that is, a sequence of actions of the intruder. If several user actions coincide with the violation signature, the next step of the user is predicted, if it also matches the signature, an alarm is generated. For example, a confidential document was opened, part of it was selected and copied to the clipboard, then a new document and the contents of the buffer have been copied into it. The system assumes that if a new document is subsequently saved without the "confidential" label, this is an attempt to steal. The USB drive has not yet been inserted, a letter has not been formed, and the system informs the information security officer who decides whether to stop the employee or track where the information goes. By the way, models (in other sources - "profiles") of the violator's behavior can be used not only by collecting information from software agents. If you analyze the nature of queries to the database, you can always identify an employee who, with a series of successive queries to the database, is trying to get a specific slice of information. It is necessary to immediately trace what it does with these requests, whether it saves them, whether it connects removable media, etc.

Organization of information storage

The principles of anonymization and data encryption - required condition organization of storage and processing, and remote access can be organized according to the terminal protocol, without leaving any information on the computer from which the request is being organized.

Integration with authentication systems

Sooner or later, the customer will have to use a system for monitoring actions with confidential documents to resolve personnel issues - for example, dismissing employees based on facts documented by this system or even prosecuting those who leaked. However, all that the monitoring system can give is the electronic identifier of the intruder - the IP address, account, email address, etc. In order to legally accuse an employee, you need to bind this identifier to the person. Here a new market opens up for the integrator - the introduction of authentication systems - from simple tokens to advanced biometrics and RFID - identifiers.

To audit access to files and folders in Windows Server 2008 R2, you must enable the auditing function, as well as specify the folders and files to which you want to record access. After configuring the audit, the server log will contain information about access and other events for the selected files and folders. It should be noted that auditing of access to files and folders can be performed only on volumes with the NTFS file system.

How to enable auditing for file system objects in Windows Server 2008 R2

Auditing of access to files and folders is enabled and disabled using group policies: domain policies for the Active Directory domain or local security policies for stand-alone servers. To enable auditing on a separate server, you need to open the management console local politician Start ->AllPrograms ->AdministrativeTools ->LocalSecurityPolicy... In the local policy console, expand the local policy tree ( LocalPolicies) and select item AuditPolicy.

In the right pane, select the item AuditObjectAccess and in the window that appears, specify what types of file and folder access events need to be recorded (successful / unsuccessful access):


After selection required setting need to press OK.

Selecting files and folders, access to which will be recorded

After the auditing of access to files and folders is activated, it is necessary to select specific objects file system, access to which will be audited. Just like NTFS permissions, audit settings are inherited by default for all child objects(unless configured otherwise). In the same way as when assigning permissions to files and folders, inheritance of audit settings can be enabled for all or only for selected objects.

To configure auditing for a specific folder / file, you need to right-click on it and select Properties ( Properties). In the properties window, go to the Security tab ( Security) and press the button Advanced... In the advanced security settings window ( AdvancedSecuritySettings) go to the Audit tab ( Auditing). Setting up auditing naturally requires administrator rights. On this stage the audit window will display a list of users and groups for which audit is enabled for this resource:

To add users or groups whose access to this object will be fixed, you must press the button Add ... and specify the names of these users / groups (or specify Everyone- to audit access of all users):

Immediately after applying these settings in the Security system log (you can find it in the snap-in ComputerManagement -> Events Viewer), each time you access objects for which auditing is enabled, corresponding entries will appear.

Alternatively, events can be viewed and filtered using the PowerShell cmdlet - Get-EventLog For example, to display all events from eventid 4660, execute the command:

Get-EventLog security | ? ($ _. eventid -eq 4660)

Advice... It is possible to appoint for any events in Windows magazine certain actions, such as sending email or script execution. How it is configured is described in the article:

UPD from 06/08/2012 (Thanks to the commentator).

In Windows 2008 / Windows 7 for audit management appeared special utility auditpol. Full list types of objects on which you can enable auditing can be seen using the command:

Auditpol / list / subcategory: *

As you can see, these objects are divided into 9 categories:

  • System
  • Logon / Logoff
  • Object Access
  • Privilege Use
  • Detailed tracking
  • Policy Change
  • Account Management
  • DS Access
  • Account Logon

And each of them, respectively, is divided into subcategories. For example, the Object Access audit category includes the File System subcategory, and to enable auditing for file system objects on the computer, run the command:

Auditpol / set / subcategory: "File System" / failure: enable / success: enable

It turns off, respectively, with the command:

Auditpol / set / subcategory: "File System" / failure: disable / success: disable

Those. If you turn off auditing of unnecessary subcategories, you can significantly reduce the size of the log and the number of unnecessary events.

After the audit of access to files and folders is activated, you need to specify the specific objects that we will control (in the properties of files and folders). Keep in mind that by default, auditing settings are inherited across all child objects (unless otherwise noted).

The need to implement audit systems for user actions in organizations of any level is convinced by the research of companies involved in information security analysis.

A study by Kaspersky Lab, for example, showed that two thirds of cybersecurity incidents (67%) are caused, among other things, by the actions of poorly informed or inattentive employees. At the same time, according to ESET research, 84% of companies underestimate the risks associated with human factors.

Defending against threats associated with the user “from within” is more challenging than defending against external threats. To counteract "pests" from the outside, including viruses and targeted attacks on the organization's network, it is enough to implement the appropriate software or hardware-software complex. Keeping an organization safe from an internal attacker will require more investment in security infrastructure and in-depth analysis. Analytical work includes identifying the types of threats that are most critical for business, as well as drawing up “portraits of violators,” that is, determining what damage a user can cause based on his competencies and powers.

The audit of user actions is inextricably linked not only with the understanding of which "gaps" in the information security system need to be quickly closed, but also with the issue of business sustainability as a whole. Businesses that are committed to business continuity should take into account that with the increasing complexity and increase in the processes of informatization and business automation, the number of internal threats is only growing.

In addition to tracking the actions of an ordinary employee, it is necessary to audit the operations of "super-users" - employees with privileged rights and, accordingly, more opportunities to accidentally or deliberately implement the threat of information leakage. These users include system administrators, database administrators, and firmware developers. You can also add involved IT specialists and employees in charge of information security here.

The introduction of a system for monitoring user actions in the company allows you to record and promptly respond to the activity of employees. Important: the audit system must be inclusive. This means that information about the activities of an ordinary employee, system administrator or a top manager needs to be analyzed at the level operating system, use of business applications, at the level network devices, database calls, external media connections, and so on.

Modern systems comprehensive audit allows you to control all stages of user actions from startup to shutdown of the PC (terminal workstation). True, in practice, they try to avoid total control. If all operations are recorded in the audit logs, the load on the infrastructure of the organization's information system increases many times over: workstations are "hanging", servers and channels are working under full load. Paranoia about information security can hurt a business by significantly slowing down work processes.

A competent information security specialist primarily determines:

  • what data in the company is most valuable, since most of the internal threats will be associated with it;
  • who and at what level can have access to valuable data, that is, outlines the circle of potential violators;
  • to what extent the current protection measures are able to withstand intentional and / or accidental actions of users.

For example, cybersecurity specialists in the financial sector consider the threats of payment data leakage and access abuse as the most dangerous. In the industrial and transport sectors, the greatest fears are known-how leaks and disloyal workers. There are similar concerns in the IT and telecommunications business, where the most critical threats are leakage of proprietary developments, trade secrets and payment information.

AS THE MOST LIKELY "TYPICAL" BREAKERS, ANALYST IDENTIFIES:

  • Top management: the choice is obvious - the broadest possible powers, access to the most valuable information... At the same time, those responsible for security often turn a blind eye to violations of information security rules by such figures.
  • Disloyal employees : to determine the degree of loyalty, information security specialists of the company should conduct an analysis of the actions of an individual employee.
  • Administrators: Professionals with privileged access and advanced privileges with deep IT knowledge are tempted to get unauthorized access To important information;
  • Contractor employees / outsourcing : like administrators, experts “from the outside”, possessing broad knowledge, can implement various threats while “inside” the customer's information system.

Determination of the most significant information and the most probable intruders helps to build a system of not total, but selective control of users. This "unloads" information system and relieves information security specialists from redundant work.

In addition to selective monitoring, the architecture of audit systems plays a significant role in speeding up the system, improving the quality of analysis and reducing the load on the infrastructure. Modern systems for auditing user actions have a distributed structure. On end workstations and servers, sensor agents are installed that analyze events of a certain type and transmit data to consolidation and storage centers. The systems for analyzing the recorded information based on the parameters laid down in the system find facts of suspicious or anomalous activity in the audit logs, which cannot be immediately attributed to an attempt to implement a threat. These facts are transmitted to the response system, which notifies the security administrator of the violation.

If the audit system is able to independently cope with a violation (usually in such IS complexes, a signature method of responding to a threat is provided), then the violation is suppressed in automatic mode, and all the necessary information about the intruder, his actions and the object of the threat falls into a special database. In this case, the Security Admin Console notifies you that the threat has been neutralized.

If the system does not have ways of automatically responding to suspicious activity, then all information to neutralize the threat or to analyze its consequences is transmitted to the IS administrator's console to perform operations in manual mode.

IN THE MONITORING SYSTEM OF ANY ORGANIZATION, OPERATIONS SHOULD BE SET UP:

Audit of the use of workstations, servers, as well as the time (by hours and days of the week) of the user's activity on them. In this way, the expediency of using information resources is established.