I'm having a periodic issue on one of my sites with defacement: people are
using some process or exploit to replace/deface pages. I want to know how
exactly they are doing this, and what process or user is doing this. How can
I best audit what user or machine process has altered a particular file, or
set up a log on that file for the future? Beyond basic server security, any
pointers for common strategies to hinder this sort of defacement?
I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control the
server entirely.
Thanks,
-KF"Ken Fine" <kenfine@.newsgroup.nospam> wrote in message
news:3577B10D-95BE-45A9-BA51-DAC89208970D@.microsoft.com...
> I want to know how exactly they are doing this
What's the URL...?
Mark Rae
ASP.NET MVP
http://www.markrae.net
Hi KF,
Do you mean your webserver machine is suffering some attacks recently? For
file altering, it could be done from both internal network or external. For
internal, you may need to restrict more on the file access of that machine.
For external, it is more likely that some external users has gain some
level of access permissions on your machine. Normally, you may first check
the IIS webserver security(such as install all the lastest patch and apply
some good practices):
#Installing and Securing IIS Servers (Part 1)
http://www.windowsecurity.com/artic...S_Servers_Part1
html
#Tech Tip: Take these steps to secure your IIS Web server
http://articles.techrepublic.com.co...11-5287646.html
#IIS Security Checklist
http://www.washington.edu/computing.../IISsecchecklis
t.html
Sure, there are also some information about building secured ASP.NET
application:
#Building Secure ASP .NET Applications .pdf Download
http://www.microsoft.com/downloads/...F772-97FE-41B8-
A58C-BF9C6593F25E&displaylang=en
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
========================================
==========
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscript...ault.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscript...t/default.aspx.
========================================
==========
This posting is provided "AS IS" with no warranties, and confers no rights.
--
>From: "Ken Fine" <kenfine@.newsgroup.nospam>
>Subject: site security: how can I audit what user or machine process has
altered a file?
>Date: Fri, 22 Feb 2008 13:27:12 -0800
>
>I'm having a periodic issue on one of my sites with defacement: people are
>using some process or exploit to replace/deface pages. I want to know how
>exactly they are doing this, and what process or user is doing this. How
can
>I best audit what user or machine process has altered a particular file,
or
>set up a log on that file for the future? Beyond basic server security,
any
>pointers for common strategies to hinder this sort of defacement?
>I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control
the
>server entirely.
>Thanks,
>-KF
>
Thanks. I'm still curious if there is a way to log what process or user
altered a particular file, so I can figure out exactly where the attack is
coming from. Do you know a way to do that?
Thanks,
-KF
""Steven Cheng"" <stcheng@.online.microsoft.com> wrote in message
news:n9imKE1dIHA.7396@.TK2MSFTNGHUB02.phx.gbl...
> Hi KF,
> Do you mean your webserver machine is suffering some attacks recently? For
> file altering, it could be done from both internal network or external.
> For
> internal, you may need to restrict more on the file access of that
> machine.
> For external, it is more likely that some external users has gain some
> level of access permissions on your machine. Normally, you may first check
> the IIS webserver security(such as install all the lastest patch and apply
> some good practices):
> #Installing and Securing IIS Servers (Part 1)
> > [url]http://articles.techrepublic.com.com/5100-6350_11-5287646.html" target="_blank">http://www.windowsecurity.com/artic...11-5287646.html
> #IIS Security Checklist
> > [url]http://www.microsoft.com/downloads/details.aspx?FamilyID=055FF772-97FE-41B8-[/ur
l]
> A58C-BF9C6593F25E&displaylang=en
> Sincerely,
> Steven Cheng
> Microsoft MSDN Online Support Lead
>
> ========================================
==========
> Get notification to my posts through email? Please refer to
> [url]http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif[/ur
l]
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at
> [url]http://msdn.microsoft.com/subscriptions/support/default.aspx." target="_blank">http://www.washington.edu/computing...t/default.aspx.
> ========================================
==========
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> --
> altered a file?
> can
> or
> any
> the
>
Hi KF,
For file system access monitor, so far I what I can get is the windows's
own system audit feature:
#Threats and Countermeasures
http://www.microsoft.com/technet/se...rity/tcg/tcgch0
3n.mspx
However, it is not recording both the account and process, only account
info may get recorded.
You may also look for some other file system monitor tools, one is the
sysinternals filemon:
#FileMon for Windows v7.04
http://technet.microsoft.com/en-us/...s/bb896642.aspx
and some other 3rd party ones:
#Auditing File System Events
http://dl.scriptlogic.com/landing/f...g-file-system-e
vents.aspx?engine=adwords!9443&keyword=(windows%20audit)&match_type=&gclid=C
L-U7Ybu4JECFQoXewodZiq3Sw
http://www.filedudes.com/files/File_System_Monitor.html
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.
--
>From: "Ken Fine" <kenfine@.newsgroup.nospam>
>References: <3577B10D-95BE-45A9-BA51-DAC89208970D@.microsoft.com>
<n9imKE1dIHA.7396@.TK2MSFTNGHUB02.phx.gbl>
>In-Reply-To: <n9imKE1dIHA.7396@.TK2MSFTNGHUB02.phx.gbl>
>Subject: Re: site security: how can I audit what user or machine process
has altered a file?
>Date: Mon, 25 Feb 2008 08:58:01 -0800
>Thanks. I'm still curious if there is a way to log what process or user
>altered a particular file, so I can figure out exactly where the attack is
>coming from. Do you know a way to do that?
>Thanks,
>-KF
>""Steven Cheng"" <stcheng@.online.microsoft.com> wrote in message
>news:n9imKE1dIHA.7396@.TK2MSFTNGHUB02.phx.gbl...
For
check
apply
http://www.windowsecurity.com/artic...S_Servers_Part1
http://www.washington.edu/computing.../IISsecchecklis
http://www.microsoft.com/downloads/...F772-97FE-41B8-
http://msdn.microsoft.com/subscript...ault.aspx#notif
issues
follow
are
>
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment