Windows NT and Novell Host Based Intrusion Detection Using Native Logging and 3rd Party Log Reporting Tools.

Presented at DEF CON 9 (2001), July 14, 2001, 1 p.m. (50 minutes).

Auditing is defined for this presentation as the process of examining operating system (OS) audit logs to assure information stored on computers is properly protected, and meets corporate security policies. This presentation will cover the Novell NetWare 4.11 (NW) and Windows NT 4.0 (NT) operating systems. NW is capable of auditing Novell Directory Services (NDS) and file system actions, and NT for domain and file systems actions, performed on a company's WAN. Auditing tracks the following types of information:

User Actions Resource Usage File System Security and Access Control Login and Logoff Activity NT and NW also includes auditing features to collect information about how a system is being used.

These features monitor events related to system security, to identify any security breaches, and to determine the extent and location of any damage. The level of audited events is adjustable to suit the needs of an organization. This presentation illustrates the usage of NT and NW security monitoring separately; however, the concepts apply to any platform.

The costs and benefits along with the weaknesses of such logging will also be addressed. While these are two older platforms that the software vendors would love to see upgraded, they are both still used in many organizations.

Presenters:

• Robert Grill - MBA, CISA, CISSP, GCIA, CNA Audit Project Leader
  Robert Grill is currently an Audit Project Team Leader at a large California based bank. He has an MBA in Management Information Systems and has over 10 years information security audit experience. He holds the SANS GIAC; GSEC, GCIA, GCIH and GCFW certifications, as well as the CISA, CISSP, SSCP, CNA and CCNA certifications.
• Michael Cohen - MBA, CISA, CISSP, GCIA, CNA Audit Project Leader
  Michael Cohen is currently an Audit Project Team Leader at a large California based bank, specializing in network and Internet security. He has over 5 years information security audit experience. He currently holds the CISA and SSCP certifications, even though he has a great disdain for such things. Previously, he worked as a big 5 security consultant and cut his teeth as network administrator holding together the worlds most poorly configured NetWare server and two of the most insecure Cisco routers.

Links:

• https://defcon.org/html/defcon-9/defcon-9-speakers.html#Robert Grill
• https://infocon.org/cons/DEF CON/DEF CON 9/DEF CON 9 video/DEF CON 9 - Robert Grill And Michael Cohen - Windows NT and Novell Host Based Intrusion Detection.mp4
• https://www.youtube.com/watch?v=cOxHiBhJUbM

Similar Presentations:

• Black Hat USA 1998 / Penetrating NT Networks Through Information Leaks and Policy Weaknesses.
• Black Hat USA 1999 / Over the Router, Through the Firewall, to Grandmaâs House We Go.
• Black Hat USA 1999 / Auditing NT - Catching Greg Hoglund