Very often, when we meet with a client in the midst of an incident, we hear the same troubling responses to our questions about Windows logs: “I’m not sure how long we keep our logs.” “What’s the default?” “I don’t think we have them.” Logging is considered boring; it’s overlooked by system build plans, and with the proliferation of products designed to manage logs, their retention has been made complex and costly.
The truth is, logs are critical for a successful incident response investigation.
Here are a few changes your team can make in your Microsoft Windows environment that may turn the tide during your next incident:
- Keep Those Logs!
By default, Windows keeps relatively few events per system log file. Depending on the system and log, events may only be kept for minutes or hours. This may have made sense when storage was costly. However, the value gained by keeping logs is immense. Security logs, in particular, are important for tracking attacker movements within a network but often cover the shortest timespans. In Windows Event Viewer, or by Policy, set your core event logs, such as Application, System, and especially Security, to have a large maximum size or roll them over and periodically archive them. Other logs, including IIS web server logs, may also be increased in size.
If you have the resources on a centralized system, you may want to look into Windows Event Forwarding to collect event logs into one, dedicated Windows server. For those a bit more adventurous, check out Splunk and Logstash.
- Even More Logs!
Sysmon is a very powerful new tool from Microsoft that records many of the details you’ll want to have after the next phishing campaign makes its rounds. It records, among other things, when a program executes, its hash value, where it went over the network or internet, and it detects timestamp tampering. It is lightweight, quick to deploy, and also records to Windows event logs (remember to increase the maximum size).
Despite its past reputation, Windows Firewall can be of help to determine what happened during an incident. Buried within the Windows Firewall settings pages are logging options, which, when enabled, will log network events as seen by the firewall.
Windows is also capable of auditing file creation, modification, access, and deletion. This is incredibly powerful on a web server, for example, to watch for any modifications to web content that may be indicative of attacker activity. Do take care when turning this on, as it can easily generate excessive numbers of events.
Related Blog Posts
- Lock It Down!
Did you know Windows Server has a utility called Security Configuration Wizard? It is easy to use, and the process walks through common security hardening steps for a Windows server. It covers areas such as services, the firewall, and stored password hashes.
Microsoft’s EMET raises the bar for malware to exploit a vulnerability on a Windows machine by silently preventing malware from performing common attack techniques. Out of the box it adds a level of security to a Windows machine, though requires a bit of tuning to realize its full potential.
Users don’t let other users run as Administrator. Force malware to find a way to elevate privileges and you’ll end up blocking some of the more common forms of malware.
Block programs from executing from suspicious locations using AppLocker. Attempting to whitelist all programs is a daunting task; however, you will make significant gains by allowing program execution from expected locations, such as Program Files and Windows directories.
Enable the Windows firewall. While you may be protected at the edge by a perimeter firewall, the built-in firewall can prevent applications from reaching out to less-common ports. More importantly, it can protect a system from lateral movement if a computer within the perimeter has been breached.
- Make a Sound!
Creating and keeping logs are even more helpful when you know of an event when it occurs. Windows Scheduled Tasks is able to send emails or generate pop-ups when certain events, with specific keywords, appear. It can even include some of the event details in the alert.
OSSEC, an open-source host-based intrusion prevention system (HIDS), is also capable of alerting based on events. While it is commonly deployed on Linux, don’t ignore its Windows client, as it is even able to take action, such as blocking a port or stopping a process, on the affected system when an event is triggered.