SMARTVFD SECURITY GUIDE
31-00140—01
6
Setting up and analyzing Windows audit
logs
Enable the auditing of your file system and registry
access. If you suspect that the system is being misused,
then Windows auditing provides a useful tool to track who
did what and when.
Once Windows auditing is enabled, review the Windows
audit logs frequently and take action if unexpected activity
is seen.
Restricting access to event logs
By default, anonymous accounts and guest accounts can
view Windows Event Logs when logged in to a Windows
computer. Restrict this access on the Compass primary
workstation, because the System, Application, and
Security logs may contain sensitive information about the
system and its operations.
IMPORTANT
Back up your system and then back up the registry
hive before making any modifications in the Win-
dows registry. If a mistake occurs, you can then
recover by reverting back to the backup of the
hive-or worse case, revert back to the system
backup-to recover and minimize downtime.
CAUTION
Mistakes made while editing the Windows
registry can cause serious issues with your
computer. Follow these steps precisely. If you
make a mistake you cannot fix, restore your
backup and start over.
Question:
How do I restrict access to Administrators and
system account only?
Answer:
To restrict access to administrators and system
accounts only.
• Choose Start > Run to open the Run window.
• Type regedit and then click OK.
• Expand the HKEY_LOCAL_MACHINE tree until you
open the HKEY_LOCAL_MACHINE\SYSTEM\-
CurrentControlSet\Services\EventLog registry key.
• Select the Security sub key.
• Right-click in the right window and then choose New >
DWORD Value to create a new registry value.
• Name the new value RestrictGuestAccess.
• Right-click RestrictGuestAccess and then select
Modify.
• Type 1 in the RestrictGuestAccess value data field and
then click OK.
• Repeat steps 5 through 8 for the Application and
System subkeys.
• Close the Registry editor.
APPENDIX 5 - FIREWALL AND
NETWORK INTRUSION ISSUES
This section contains additional information on
Installation security Issues for SmartVFD.
Configuring the Windows firewall
on Windows PCs running the web
Browser
The Windows firewall provides another layer of protection
and must always be enabled. When the firewall is on, it will
reject any incoming connections by default. Exceptions
must be put into the firewall to allow incoming
connections to succeed. If not manually configured, on
first usage the Windows firewall will prompt the user to
add a firewall exception. Use the following configuration
settings:
• The firewall is on.
• The firewall is on for all network locations (Home or
work, Public, or Domain).
• The firewall is on for all network connections.
• The firewall is blocking all inbound connections except
those that you specifically allowed.
Detecting network
Network Intrusion Detection Systems (NIDS) can take
many forms. NIDS can be a dedicated server on the same
network branch, freeware software available under GNU or
similar licenses (most of these are aimed at UNIX
systems), or commercial products aimed specifically at
Windows systems.
The purpose of NIDS is to scan incoming network packets
and look for unusual traffic or for specific malformed
packets known to be associated with attacks. If anomalies
are found, NIDS take action such as raising alerts or even
disconnecting the computer from the network. The latter
is a dangerous option which causes its own denial of
service while preventing damage to the system by closing
network ports, and so on.
Most firewalls, switches, and routers have reporting
capabilities that can report various levels of events varying
from debugging to emergency failure. These reports can
be viewed using telnet, collected by a central logging
server, or emailed to an administrator. For example, the
Cisco PIX firewall and Catalyst 4500 switches can be
configured to send selected levels of events to a central
syslog server where further analysis can occur and
significant events can be detected.
Syslog servers are common on Unix systems, and third-
party syslog services are available for Windows. They vary
in functionality and cost, from freeware, which simply
writes to a log file, to sophisticated NIDS that analyze the
logs in detail. As well as being able to control the level of
severity of events, the PIX firewall allows the suppression
of individual messages. This can significantly reduce
clutter and also provide some ability to recognize common
attack signatures and then raise the appropriate alarms.
When you configure network event logs, maintain a
balance between collecting too many events (and missing
something important) and filling storage disks and
deleting information (which is subsequently needed for an
intrusion investigation).
