site security: how can I audit what user or machine process has altered a file?

[Ken Fine]

I'm having a periodic issue on one of my sites with defacement: people are
using some process or exploit to replace/deface pages. I want to know how
exactly they are doing this, and what process or user is doing this. How can
I best audit what user or machine process has altered a particular file, or
set up a log on that file for the future? Beyond basic server security, any
pointers for common strategies to hinder this sort of defacement?

I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control the
server entirely.

Thanks,
-KF

 

[Mark Rae [MVP]]

I want to know how exactly they are doing this

What's the URL...?

 

[Steven Cheng]

Hi KF,

Do you mean your webserver machine is suffering some attacks recently? For
file altering, it could be done from both internal network or external. For
internal, you may need to restrict more on the file access of that machine.
For external, it is more likely that some external users has gain some
level of access permissions on your machine. Normally, you may first check
the IIS webserver security(such as install all the lastest patch and apply
some good practices):

#Installing and Securing IIS Servers (Part 1)
http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1
.html

#Tech Tip: Take these steps to secure your IIS Web server
http://articles.techrepublic.com.com/5100-6350_11-5287646.html

#IIS Security Checklist
http://www.washington.edu/computing/support/windows/UWdomains/IISsecchecklis
t.html

Sure, there are also some information about building secured ASP.NET
application:

#Building Secure ASP .NET Applications .pdf Download
http://www.microsoft.com/downloads/details.aspx?FamilyID=055FF772-97FE-41B8-
A58C-BF9C6593F25E&displaylang=en

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================


This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------

 

[Ken Fine]

Thanks. I'm still curious if there is a way to log what process or user
altered a particular file, so I can figure out exactly where the attack is
coming from. Do you know a way to do that?

Thanks,
-KF

 

[Steven Cheng]

Hi KF,

For file system access monitor, so far I what I can get is the windows's
own system audit feature:

#Threats and Countermeasures
http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch0
3n.mspx

However, it is not recording both the account and process, only account
info may get recorded.

You may also look for some other file system monitor tools, one is the
sysinternals filemon:

#FileMon for Windows v7.04
http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx

and some other 3rd party ones:

#Auditing File System Events
http://dl.scriptlogic.com/landing/file-system-auditor/auditing-file-system-e
vents.aspx?engine=adwords!9443&keyword=(windows%20audit)&match_type=&gclid=C
L-U7Ybu4JECFQoXewodZiq3Sw

http://www.filedudes.com/files/File_System_Monitor.html

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------

From: "Ken Fine" <[email protected]>
References: <[email protected]>