Article created 2003-05-12 by Rainer Gerhards.
Creating a hardened log host
A hardened log host is a system that is especially configured to prevent malicious users from modifying any log data stored inside it. A hardened log host is especially useful if tampering with log data is to be avoided. Setting up a proper hardened host can definitely help if evidence for crime investigation is needed.
It is beyond the scope of this document to describe all steps necessary to set up a fully hardened log host that can be used in forensic log analysis – but this guide should be a good starting point.
Please note that this Step-By-Step guide does not go into the same detail as most of the others. Most importantly, screen shots are more or less missing. We highly recommend checking with other security sources as well as your local authorities as security needs change quickly. We are focussing on Windows 2000 in this guide, as it at the time of this writing is the most common platform for creating a secure central log server with Adiscon products.
If you have a Windows 2000 machine installed with the default setup, there are a number of essential steps to do before moving it into production:
- Ensure physical security of the machine. A malicious person with physical access to the machine can overcome any software limitation!
- Uninstall Internet Information Server (IIS) – there are many issues associated with IIS and it will definitely introduce a security weakness when left on the machine. Make sure you uninstall it – it is installed by default.
- For the same reason, do not install any other web server – there are too many vulnerabilities in all products and the HTTP protocol itself (this is not a popular opinion but one proved in reality).
- Rename your “Administrator” account. Give it a name that is not related to administrative functions. “Admin”, “Supervisor” or “root” would be bad names – “Tom” or “Jerry” would be good ones. Take a note of the new admin account name!
- Be sure to use a strong password for the administrator account – one with at least 8 characters and consisting of numeric, alphabetic and special characters.
- Create a backup administrator account with a good name and password – as above. Be sure to store the name and password in a safe. We too often have seen highly secured system looking out their legal owners – be sure to have a backup!
- Be sure to apply the latest service pack (even though you might not like it on other machines) and the latest security patches. A good place to check for new patches is www.microsoft.com/security. Do not rely on Windows Update solely (it has been seen to miss patches). Also, be sure to install patches in the order they have been released! It has been seen that older patches overwrite part of newer patches if installed in any other order.
- Stop and uninstall all services that need not to be present on the machine. For a highly secure system, be sure to remove the bindings for the file server. Follow the basic guideline: “as few services as possible”.
- Either via the firewall and/or via Windows IP filters, block all traffic to and from the machine. Open up only the ports that you definitely need (that is 514/UDP for syslog and 5432/TCP for SETP).
- Double-check that terminal services and telnet are not available on the machine.
- Make a full backup of the system, including the emergency repair disk. Make sure all disks are protected by fault tolerance, that is either RAID 5 or disk mirroring. Ensure that a proper backup procedure is in place.
- Check with your legal advisor if physically read-only media is required for storing your log files. If so, ensure that files are periodically written to CD-R or a similar media (do not use CD-RW or any other rewritable media!).