Audit in Windows 7. Audit of user actions. InfoWatch software solutions

To audit access to files and folders in Windows Server 2008 R2, you must enable the audit function, and also specify the folders and files to which access should be recorded. After setting up auditing, the server log will contain information about access and other events on selected files and folders. It is worth noting that auditing of access to files and folders can only be carried out on volumes with the NTFS file system.

Enable auditing of file system objects in Windows Server 2008 R2

Access auditing for files and folders is enabled and disabled using group policies: domain policy for the domain Active Directory or local security policies for stand-alone servers. To enable auditing on an individual server, you must open the management console local politician Start ->AllPrograms ->AdministrativeTools ->LocalSecurityPolicy. In the local policy console, you need to expand the local policy tree ( LocalPolicies) and select an element AuditPolicy.

In the right panel you need to select an element AuditObjectAccess and in the window that appears, specify what types of access events to files and folders need to be recorded (successful/unsuccessful access):

After selection necessary settings need to press OK.

Selecting files and folders to which access will be recorded

After auditing access to files and folders is activated, you need to select specific objects file system, access to which will be audited. Just like NTFS permissions, audit settings are inherited by default to all child objects (unless configured otherwise). Just like when assigning access rights to files and folders, inheritance of audit settings can be enabled for all or only selected objects.

To set up auditing for a specific folder/file, you need to click on it right click mouse and select Properties ( Properties). In the properties window, go to the Security tab ( Security) and press the button Advanced. In the advanced security settings window ( AdvancedSecuritySettings) go to the Audit tab ( Auditing). Setting up auditing, of course, requires administrator rights. On at this stage the audit window will display a list of users and groups for which auditing for this resource is enabled:

To add users or groups whose access to this object will be fixed, you need to press the button Add… and specify the names of these users/groups (or specify Everyone– to audit access of all users):

Immediately after applying these settings in the Security system log (you can find it in the ComputerManagement -> Events Viewer), each time you access objects for which auditing is enabled, corresponding entries will appear.

Alternatively, events can be viewed and filtered using the PowerShell cmdlet − Get-EventLog For example, to display all events with eventid 4660, run the command:

Get-EventLog security | ?($_.eventid -eq 4660)

Advice. It is possible to assign specific actions to any events in the Windows log, such as sending email or script execution. How this is configured is described in the article:

UPD from 06.08.2012 (Thanks to the commentator).

In Windows 2008/Windows 7, audit management was introduced special utility auditpol. A complete list of object types for which auditing can be enabled can be seen using the command:

Auditpol /list /subcategory:*

As you can see, these objects are divided into 9 categories:

• System
• Logon/Logoff
• Object Access
• Privilege Use
• Detailed Tracking
• Policy Change
• Account Management
• DS Access
• Account Logon

And each of them, accordingly, is divided into subcategories. For example, the Object Access audit category includes a subcategory File System and to enable auditing for file system objects on the computer, run the command:

Auditpol /set /subcategory:"File System" /failure:enable /success:enable

It is disabled accordingly with the command:

Auditpol /set /subcategory:"File System" /failure:disable /success:disable

Those. If you disable auditing of unnecessary subcategories, you can significantly reduce the log volume and the number of unnecessary events.

After auditing access to files and folders is activated, you need to specify the specific objects that we will monitor (in the properties of files and folders). Keep in mind that by default, audit settings are inherited to all child objects (unless otherwise specified).

Sometimes events happen that require us to answer a question. "who did it?" This can happen “rarely, but accurately,” so you should prepare for the answer to the question in advance.

Almost everywhere there are design departments, accounting departments, developers and other categories of employees working together on groups of documents stored in a public (Shared) folder on file server or at one of the workstations. It may happen that someone deletes an important document or directory from this folder, as a result of which the work of an entire team may be lost. In this case, the system administrator faces several questions:

When and what time did the problem occur?

From which one closest to this time backup copy should the data be restored?

Maybe there was a system failure that could happen again?

Windows has a system Audit, allowing you to track and log information about when, by whom and using what program documents were deleted. By default, Audit is not enabled - tracking itself requires a certain percentage of system power, and if you record everything, the load will become too large. Moreover, not all user actions may interest us, so Audit policies allow us to enable tracking only of those events that are really important to us.

The Audit system is built into everything OS MicrosoftWindowsNT: Windows XP/Vista/7, Windows Server 2000/2003/2008. Unfortunately, in systems Windows series Home audit is hidden deeply and is too difficult to configure.

What needs to be configured?

To enable auditing, log in with administrator rights to the computer that provides access to general documents, and run the command Start→Run→gpedit.msc. In the Computer Configuration section, expand the folder Windows Settings→ Security Settings→ Local Policies→ Audit Policies:

Double click on policy Audit object access (Object access audit) and select the checkbox Success. This setting enables a mechanism to monitor successful access to files and the registry. Indeed, we are only interested in successful attempts to delete files or folders. Enable Auditing only on computers where the monitored objects are directly stored.

Simply enabling the Audit policy is not enough; we must also specify which folders we want to monitor. Typically, such objects are folders of common (shared) documents and folders with production programs or databases (accounting, warehouse, etc.) - that is, resources with which several people work.

It is impossible to guess in advance who exactly will delete the file, so tracking is indicated for Everyone. Successful attempts to delete monitored objects by any user will be logged. Call the properties of the required folder (if there are several such folders, then all of them in turn) and on the tab Security → Advanced → Auditing add subject tracking Everyone his successful access attempts Delete And Delete Subfolders and Files:

Quite a lot of events can be logged, so you should also adjust the log size Security(Safety), in which they will be recorded. For
run this command Start→ Run→ eventvwr. msc. In the window that appears, call the properties of the Security log and specify the following parameters:

Maximum Log Size = 65536 K.B.(for workstations) or 262144 K.B.(for servers)

Overwrite events as needed.

In fact, the indicated figures are not guaranteed to be accurate, but are selected empirically for each specific case.

Windows 2003/ XP)?

Click Start→ Run→ eventvwr.msc Security. View→ Filter

• Event Source:Security;
• Category: Object Access;
• Event Types: Success Audit;
• Event ID: 560;

Browse the list of filtered events, paying attention to the following fields within each entry:

• ObjectName. The name of the folder or file you are looking for;
• ImageFileName. The name of the program that deleted the file;
• Accesses. The set of rights requested.

A program can request several types of access from the system at once - for example, Delete+ Synchronize or Delete+ Read_ Control. A significant right for us is Delete.

So, who deleted the documents (Windows 2008/ Vista)?

Click Start→ Run→ eventvwr.msc and open the magazine to view Security. The log may be filled with events that are not directly related to the problem. Right-click the Security log and select View→ Filter and filter your viewing by the following criteria:

• Event Source: Security;
• Category: Object Access;
• Event Types: Success Audit;
• Event ID: 4663;

Do not rush to interpret all deletions as malicious. This function is often used when regular work programs - for example, executing a command Save(Save), package programs MicrosoftOffice first create a new temporary file, save the document into it, and then delete it previous version file. Likewise, many database applications first create a temporary lock file when launched (. lck), then delete it when exiting the program.

I have had to deal with malicious actions of users in practice. For example, a conflicted employee of a certain company, upon leaving his job, decided to destroy all the results of his work, deleting files and folders to which he was related. Events of this kind are clearly visible - they generate tens, hundreds of entries per second in the security log. Of course, restoring documents from ShadowCopies(Shadow Copies) or daily automatically created archive is not particularly difficult, but at the same time I could answer the questions “Who did it?” and “When did this happen?”

Victor Chutov
Project Manager INFORMSVYAZ HOLDING

Prerequisites for system implementation

The first publicly available global insider threat study launched in 2007 information security Infowatch (based on the results of 2006) showed that internal threats are no less common (56.5%) than external ones ( malware, spam, hacker actions, etc.). Moreover, in the overwhelming majority (77%) the reason for the implementation of an internal threat is the negligence of the users themselves (failure to job descriptions or neglect of basic information security measures).

Dynamics of changes in the situation in the period 2006-2008. shown in Fig. 1.

The relative decrease in the share of leaks due to negligence is due to the partial implementation of information leak prevention systems (including systems for monitoring user actions), which provide sufficient high degree protection against accidental leaks. In addition, it is due to the absolute increase in the number of deliberate thefts of personal data.

Despite the change in statistics, we can still confidently say that the priority task is to combat unintentional information leaks, since countering such leaks is easier, cheaper, and as a result, most incidents are covered.

At the same time, employee negligence, according to an analysis of research results from Infowatch and Perimetrix for 2004-2008, ranks second among the most dangerous threats (summarized research results are presented in Fig. 2), and its relevance continues to grow along with the improvement of software and hardware automated systems (AS) of enterprises.

Thus, the implementation of systems that eliminate the possibility of an employee’s negative influence on information security in the enterprise’s automated system (including monitoring programs), provide information security service employees with an evidence base and materials for investigating an incident, will eliminate the threat of leakage due to negligence, significantly reduce accidental leaks, and also slightly reduce intentional ones. Ultimately, this measure should make it possible to significantly reduce the implementation of threats from internal violators.

Modern automated system for auditing user actions. Advantages and disadvantages

Automated systems for auditing (monitoring) user actions (ASADP) AS, often called monitoring software products, are intended for use by AS security administrators (the organization's information security service) to ensure its observability - "properties computing system, which allows you to record user activity, as well as uniquely establish the identifiers of users involved in certain events in order to prevent violations of security policies and/or ensure responsibility for certain actions."

The observability property of the AS, depending on the quality of its implementation, allows, to one degree or another, to control the observance by the organization’s employees of its security policy and the established rules for safe work on computers.

Application of monitoring software products, including in real time, is intended to:

• identify (localize) all cases of unauthorized access attempts to confidential information with an exact indication of the time and network workplace from which such an attempt was made;
• identify facts of unauthorized installation of software;
• identify all cases of unauthorized use of additional hardware (for example, modems, printers, etc.) by analyzing the facts of the launch of unauthorized installed specialized applications;
• identify all cases of typing critical words and phrases on the keyboard, preparing critical documents, the transfer of which to third parties will lead to material damage;
• control access to servers and personal computers;
• control contacts while surfing Internet networks;
• conduct research related to determining the accuracy, efficiency and adequacy of personnel response to external influences;
• determine the load on the organization’s computer workstations (by time of day, by day of the week, etc.) for the purpose of scientific organization of user labor;
• monitor usage cases personal computers during non-working hours and identify the purpose of such use;
• receive the necessary reliable information on the basis of which decisions are made to adjust and improve the organization’s information security policy, etc.

The implementation of these functions is achieved by introducing agent modules (sensors) onto AS workstations and servers with further status polling or receiving reports from them. Reports are processed in the Security Administrator Console. Some systems are equipped with intermediate servers (consolidation points) that process their own areas and security groups.

A system analysis of the solutions presented on the market (StatWin, Tivoli Configuration Manager, Tivoli Remote Control, OpenView Operations, "Uryadnik/Enterprise Guard", Insider) made it possible to identify a number of specific properties, giving which to a promising ASADP will improve its performance indicators in comparison with the studied samples .

In the general case, along with a fairly broad functionality and a large package of options, existing systems can be used to track the activities of only individual AS users based on a mandatory cyclic survey (scanning) of all specified AS elements (and primarily workstation users).

At the same time, the distribution and scale of modern systems, including a fairly large number of workstations, technologies and software, significantly complicates the process of monitoring user work, and each of them network devices is capable of generating thousands of audit messages, reaching quite large volumes of information that require maintaining huge, often duplicate databases. These tools, among other things, consume significant network and hardware resources and load the shared system. They turn out to be inflexible to hardware and software reconfiguration computer networks, are unable to adapt to unknown types of disturbances and network attacks, and the effectiveness of their detection of security policy violations will largely depend on the frequency of scanning of AS elements by the security administrator.

One way to improve work efficiency of these systems is a direct increase in scanning frequency. This will inevitably lead to a decrease in the efficiency of performing those main tasks for which, in fact, this AS is intended, due to a significant increase in the computing load both on the administrator’s workstation and on the computers of user workstations, as well as with the growth of traffic local network AC.

In addition to the problems associated with analyzing large amounts of data, existing monitoring systems have serious limitations in the efficiency and accuracy of decisions made, caused by the human factor determined by the physical capabilities of the administrator as a human operator.

The presence in existing monitoring systems of the ability to notify about obvious unauthorized actions of users in real time does not fundamentally solve the problem as a whole, since it allows tracking only previously known types of violations (signature method), and is not able to counteract new types of violations.

The development and use of extensive methods for ensuring information security in information security systems, providing for an increase in the level of its protection due to the additional “selection” of a computing resource from the AS, reduces the ability of the AS to solve the tasks for which it is intended and/or increases its cost. The failure of this approach in the rapidly developing IT technology market is quite obvious.

Automated system for auditing (monitoring) user actions. Promising properties

From the previously presented analysis results, it follows the obvious need to give promising monitoring systems the following properties:

• automation, eliminating routine “manual” operations;
• combination of centralization (based on an automated security administrator workstation) with management at the level individual elements(intellectual computer programs) systems for monitoring the work of AS users;
• scalability, which allows for increasing the capacity of monitoring systems and expanding their capabilities without a significant increase in the computing resources required for their effective functioning;
• adaptability to changes in the composition and characteristics of the AS, as well as to the emergence of new types of security policy violations.

The generalized structure of ASADP AS, which has the marked distinctive features, which can be implemented in speakers for various purposes and accessories, is shown in Fig. 3.

The given structure includes the following main components:

• software components-sensors placed on some AS elements (on user workstations, servers, network equipment, information security tools), used to record and process audit data in real time;
• registration files containing intermediate information about user work;
• data processing and decision-making components that receive information from sensors through registration files, analyze it and make decisions on further actions (for example, entering some information into a database, notifying officials, creating reports, etc.);
• audit database (DB) containing information about all registered events, on the basis of which reports are created and the state of the plant is monitored for any specified period time;
• components for generating reports and certificates based on information recorded in the audit database and filtering records (by date, by user IDs, by workstation, by security events, etc.);
• component of the security administrator interface, which serves to control the operation of the ASADP AS with its workstation, view and print information, create various types queries to the database and generation of reports, allowing real-time monitoring of the current activities of AS users and assessing the current level of security of various resources;
• additional components, in particular software components for configuring the system, installing and placing sensors, archiving and encrypting information, etc.

Information processing in ASADP AS includes the following stages:

• recording registration information by sensors;
• collecting information from individual sensors;
• exchange of information between relevant system agents;
• processing, analysis and correlation of registered events;
• presentation of processed information to the security administrator in a normalized form (in the form of reports, charts, etc.).

In order to minimize the required computing resources, increase the secrecy and reliability of the system, information can be stored on various AS elements.

Based on the task of making ASADP AS fundamentally new (compared to existing systems audit of the work of AS users) automation properties, a combination of centralization and decentralization, scalability and adaptability, one of the possible strategies for its construction seems to be modern technology intelligent multi-agent systems, implemented by developing an integrated community of agents various types(intelligent autonomous programs that implement certain functions of detecting and countering user actions that are contrary to the security policy) and organizing their interaction.

Annotation: The final lecture provides final recommendations for implementation technical means protection of confidential information, the characteristics and principles of operation of InfoWatch solutions are discussed in detail

InfoWatch software solutions

The purpose of this course is not detailed acquaintance with technical details of how InfoWatch products work, so let’s look at them from the technical marketing side. InfoWatch products are based on two fundamental technologies - content filtering and auditing of user or administrator actions in the workplace. Also part of the comprehensive InfoWatch solution is a repository of information that has left the information system and a unified internal security management console.

Content filtering of information flow channels

Basic distinctive feature InfoWatch content filtering is based on the use of a morphological kernel. Unlike traditional signature filtering, InfoWatch content filtering technology has two advantages - insensitivity to elementary encoding (replacing some characters with others) and higher performance. Since the kernel works not with words, but with root forms, it automatically cuts off roots that contain mixed encodings. Also, working with roots, of which there are less than ten thousand in each language, and not with word forms, of which there are about a million in languages, allows one to show significant results on rather unproductive equipment.

Audit of user actions

To monitor user actions with documents on a workstation, InfoWatch offers several interceptors in one agent on the workstation - interceptors for file operations, print operations, operations within applications, and operations with attached devices.

A repository of information that has left the information system through all channels.

The InfoWatch company offers a repository of information that has left the information system. Documents passed through all channels leading outside the system - e-mail, Internet, printing and removable media - are stored in the *storage application (until 2007 - module Traffic Monitor Storage Server) indicating all attributes - full name and position of the user, his electronic projections (IP address, account or postal address), date and time of the transaction, name and document attributes. All information is available for analysis, including content analysis.

Related Actions

The introduction of technical means of protecting confidential information seems ineffective without the use of other methods, primarily organizational ones. We have already discussed some of them above. Now let's take a closer look at other necessary actions.

Patterns of behavior of violators

By deploying a system for monitoring actions with confidential information, in addition to increasing functionality and analytical capabilities, you can develop in two more directions. The first is the integration of protection systems against internal and external threats. Incidents in recent years show that there is a distribution of roles between internal and external attackers, and combining information from external and internal threat monitoring systems will make it possible to detect such combined attacks. One of the points of contact between external and internal security is the management of access rights, especially in the context of simulating a production need to increase rights by disloyal employees and saboteurs. Any requests for access to resources beyond the scope of official duties must immediately include a mechanism to audit actions taken with that information. It’s even safer to solve problems that suddenly arise without opening access to resources.

Let's give an example from life. To the system administrator An application was received from the head of the marketing department to open access to the financial system. As a substantiation of the application, an assignment from the general director was attached for marketing research into the processes of purchasing goods produced by the company. Since the financial system is one of the most protected resources and permission to access it is given by the general director, the head of the information security department wrote an alternative solution on the application - not to give access, but to upload anonymized (without specifying clients) data into a special database for analysis. In response to the objections of the chief marketer that it was inconvenient for him to work like this, the director asked him a question “head-on”: “Why do you need the names of clients - do you want to merge the database?” -after which everyone went to work. Whether this was an attempt to leak information, we will never know, but whatever it was, the corporate financial system was protected.

Preventing leaks during preparation

Another direction for developing a system for monitoring internal incidents with confidential information is building a leak prevention system. The operating algorithm of such a system is the same as in intrusion prevention solutions. First, a model of the intruder is built, and a “violation signature” is formed from it, that is, the sequence of actions of the intruder. If several user actions coincide with the violation signature, the user's next step is predicted, and if it also matches the signature, an alarm is raised. For example, a confidential document was opened, part of it was selected and copied to the clipboard, then a new document and the contents of the buffer were copied into it. The system assumes: if a new document is then saved without the “confidential” label, this is an attempt to steal. The USB drive has not yet been inserted, the letter has not been generated, and the system informs the information security officer, who makes a decision - to stop the employee or to track where the information goes. By the way, models (in other sources - “profiles”) of the offender’s behavior can be used not only by collecting information from software agents. If you analyze the nature of queries to the database, you can always identify an employee who, through a series of sequential queries to the database, is trying to obtain a specific piece of information. It is necessary to immediately monitor what it does with these requests, whether it saves them, whether it connects removable storage media, etc.

Organization of information storage

Principles of anonymization and encryption of data - required condition organization of storage and processing, and remote access can be organized using the terminal protocol, without leaving any information on the computer from which the request is organized.

Integration with authentication systems

Sooner or later, the customer will have to use a system for monitoring actions with confidential documents to resolve personnel issues - for example, dismissing employees based on facts documented by this system or even prosecuting those who leaked. However, all that the monitoring system can provide is the electronic identifier of the offender - IP address, account, email address, etc. In order to legally accuse an employee, this identifier must be linked to an individual. Here the integrator opens new market– implementation of authentication systems – from simple tokens to advanced biometrics and RFID identifiers.