Guide to Operating Systems Security
0-619-16040-3
Guide to Operating Systems Security
Chapter 12 Solutions
Answers to the Chapter 12 Review Questions
1.
Your organization prints out many logs from servers each morning, but no one looks at them, except
occasionally. What might your organization use in relation to the logs to help make server
administrators aware of possible intrusions?
Answer: a. software that provides alerts from the information in the logs
2.
You are working for a bank that provides Internet banking 24 hours a day, seven days a week. The
bank cannot afford to have security personnel scanning for intruders and taking action against intruders
during every moment that Internet banking is available. What might be the best solution?
Answer: c. implement active intrusion detection
3.
Your company has decided to put intrusion-detection software on all servers and workstations. This is
called:
Answer: d. host-based intrusion detection
4.
You have installed Network Monitor in Windows 2000 Server, but the software is not gathering
statistics on network activity. What might be the problem? (Choose all that apply.)
Answer: c. You need to install Network Monitor Driver
5.
The art director in your company suspects that someone is accessing her Mac OS X computer over the
network. Which of the following enables her to monitor who is logged onto her computer?
Answer: b. the who command from a terminal window
6.
The IT manager in your company wants a way to check which users are logged on to his Windows XP
Professional workstation, because he enables programmers to access employment and vacation
information from his computer. Which of the following do you recommend? (Choose all that apply.)
Answer: a. and d.
7.
Which of the following types of information can you obtain from MONITOR in NetWare 6.x?
(Choose all that apply.)
Answer: a., b., c., and d.
8.
A Mac OS X user, who is also a frequent user of the Internet, has downloaded a worm. You want to
trace the user's steps to determine how this might have happened. Which of the following would be
most productive?
Answer: b. Examine the contents of the FTP Service log.
9.
You are training a new server administrator on the Windows 2000 and 2003 servers in your
organization. You decide to train the new server administrator to use Network Monitor to track only
BPDU traffic. What capability do you show her?
Answer: d. setting up a filter
10. While still training the new server administrator in Question 9, you show her how to monitor shared
folders, and she asks what the "$" reference means in the folder names. You explain that this refers to
_____________________.
Answer: a. hidden folders
11. In Red Hat Linux 9.x, most logs are found in the __________________ directory.
Answer: c. /var/log
1
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
12. Your organization is experiencing lots of port scanning and various attempts at breaking into servers.
Which of the following intrusion-detection methods might you try, to redirect attackers away from
these servers? (Choose all that apply.)
Answer: d. Set up a honeypot.
13. A(n) _____________________ examines logs and other recorded data and determines if there has
been an intrusion attempt.
Answer: b. inspector
14. You want to examine failed attempts to access the Payroll folder in Windows Server 2003. What log
would you check?
Answer: c. Security log
15. When you see a white "x" inside a red circle in Windows 2000 Server or Windows Server 2003 log,
this signifies a(n) ________________________.
Answer: a. error
16. You notice that a process that should be starting when Red Hat Linux 9.x boots is not starting. Where
would you look to track down the error?
Answer: c. in the Boot log
17. You suspect that an attacker has changed the schema in NetWare 6.0. Where would you look to trace
this possibility?
Answer: d. View the SYS:ETC\SCHINST.LOG file.
18. You've identified an intruder on a NetWare 6.5 server on your network. Now you need to quickly
terminate this intruder's log on session. Which of the following tools can you use? (Choose all that
apply.)
Answer: c. and d.
19. In Network Monitor, how might you view traffic only from one workstation, as a way to determine if
that workstation is creating a network load? (Choose all that apply.)
Answer: b. and c.
20. Your assistant is worried that the logs on computers running Red Hat Linux 9.x will become too full
and must be managed. What is your comment about this?
Answer: d. Leave Red Hat Linux's automatic rotation level system in place to rotate the logs.
2
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Hands-On Projects Tips and Solutions for Chapter 12
Project 12-1
Students learn how to access Event Viewer and to configure a filter in this project. Before students
begin, make sure that you have auditing turned on for one or more files.
In Step 3, the logs students see will depend on which operating system they access and the services
installed in the operating system. In Windows 2000 and XP Professional, they will see the System,
Security, and Application logs. In Windows 2000 Server and Windows Server 2003 they will see
additional logs: File Replication Service, Directory Service, and DNS Service.
In Step 5, students should report about the error events they see in Event Viewer.
In Step 6, students should report on the events they open in the Security Log.
In Step 10, students should record a few of the event sources, such as cdrom, disk, modem, IPSec,
NetBIOS, Tcpip, and many, many others.
In Step 11, students should record some of the other parameters that can be set such as:
 Category
 Event ID
 User
 Computer
 From
 To
In Step 13, after the filter is put into use, students will only see error events for the Netlogon source.
However, the events that are no longer displayed are still in the log, but they are not seen in Event
Viewer because the filter is being used.
Project 12-2
In this project, students access the Log Viewer in Red Hat Linux 9.x and configure a filter and alerts.
In Step 4, the display changes because students are filtering for the word “shutdown” and after they
click the Filter button, they only see messages that contain this word.
In Step 6, students should determine the number of failed messages displayed through the filter.
In Step 11, the word “unauthorized” is added to the list of alert words.
Project 12-3
Students learn how view the Red Hat Linux System Log using the cat command in this project.
In Step 3, students should report viewing all of the default logs with four versions per log:
 Boot.log.x
 Cron.x
 Maillog.x
 Messages.x
 Rpmpkgs.x
 Secure.x
 Spooler.x
 Up2date.x
 XFree86.x.log
3
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Project 12-4
In this project, students view the contents of the Console Log in NetWare 6.x. They will need a
workstation running Windows XP Professional (or Windows 2000 Professional will work), Client32
already installed on the workstation, and an account from which to access a NetWare server.
In Step 7, students should record the time of the last entry in the log.
Project 12-5
Students learn how to view the System Log in Mac OS X in this project.
In Step 3, students should report seeing the following log files:
 ftp.log
 lastlog
 lookupd.log
 lpr.log
 mail.log
 netinfo.log
 secure.log
 system.log
In Step 5, students should record the topics of two or three messages.
Project 12-6
In this project, students view shared resources and connections in Windows 2000/XP/2003.
In Step 3, students should record one or two resources, such as C$ and print$. Also, they should note
that the "$" means that the resource is hidden.
In Step 4, students should record the number of active sessions. Also, to terminate a session, they
should report that they would right-click the user and click Close Session.
In Step 5, students should report the number of files that are locked.
Project 12-7
Students use the who command in Red Hat Linux to view users who are on their system.
In Step 6, the differences are that:
 Step 2 results show the user, line, and time logged on
 Step 3 results show the same information as Step 2, but with headers
 Step 4 results show the headers and add the idle time information
 Step 5 results provide only the user names and the total number of users
4
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Project 12-8
In this project, students use MONITOR in NetWare 6.x to view connections, NLMs, and locked files.
In Step 5, students should report the number of connections.
In Step 15, students will see the following columns:
 Connection
 Task
 Lock Status
 Log Status
Project 12-9
In this project, students use the Process Viewer in Mac OS X.
In Step 5, students should report which process is using the most memory.
Project 12-10
Students learn to monitor a network using Microsoft Network Monitor in this project. They will need
access to a Windows 2000/2003 server that has Network Monitor installed along with Network
Monitor Driver. Also, they will need access to an account that has permissions to use Network
Monitor.
In Step 4, students should report the typical % Network Utilization.
In Step 6, students should use the Station and Session Statistics panes to report about stations sending
broadcasts. Also, the Session Statistics pane provides information about the network address of a
station.
5
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Project 12-10 (Cont.)
In Step 11, examples of the protocols that can be monitored (at this writing) include:
 3ComNBP (ETYPE)
 AppleTalk ARP (ETYPE)
 AppleTalk LAP (ETYPE)
 ARP (ETYPE)
 BPDU (SAP)
 IBM NM (SAP)
 IBM RT (ETYPE)
 IP (SAP and ETYPE)
 IPv6 (ETYPE)
 Loop (ETYPE)
 NetBIOS (SAP)
 NetWare (ETYPE)
 NetWare 802.2
 NetWare SAP (SAP)
 NULL (SAP)
 Other ETYPES (ETYPE)
 PUP (ETYPE)
 PUP ARP (ETYPE)
 RPL (SAP)
 SNA (SAP)
 SNAP (SAP)
 SNMP (ETYPE)
 TCP (ETYPE)
 TRLR (ETYPE)
 UB (SAP)
 VINES (SAP and ETYPE)
 XNS (SAP and ETYPE for 3Com and ETYPE for Xerox)
In Step 14, the stations that are listed will depend on what stations are connected to the network. Some
typical examples besides the server include generic stations such as: *ANY GROUP, *BROADCAST,
*NETBIOS Multicast, and LOCAL. Communications between two stations can be tracked in both
directions, from Station 1 to Station 2, or from Station 2 to Station 1. To view all traffic between a
NetWare server and all other stations, designate the NetWare station as Station 1 and *ANY as Station
2 (or vice versa).
In Step 15, the relationship under (Address Pairs) is now displayed as:
INCLUDE *ANY GROUP ↔ *ANY
6
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Solutions to the Case Project Assignments
Xtreme is a company that manufactures fast snowboards and skis. The company's research department has
been developing new materials that not only increase the speed of its old products, but also increase the
products' durability. Xtreme operates in a very competitive industry, and the company takes many
precautions to protect its secret product and design information. Xtreme is aware that competitors
frequently attempt to access its network, through both inside sources and the Internet.
Xtreme uses Windows 2003 and NetWare 6.0 servers to house product and research information. Research
and design activities are performed on Red Hat Linux 9.0 and Mac OS X workstations. Xtreme hires you
through Aspen IT Services to consult about implementing intrusion-detection measures for its servers and
workstations.
Case Project 12-1: Passive and Active Intrusion Detection
Xtreme's IT department is debating whether to use passive intrusion detection or active intrusion detection.
However, many members of the department are confused about the differences between these approaches.
They ask you to create a short report that:
 Explains the differences between passive and active intrusion detection
 Discusses the pros and cons of passive and active intrusion detection
Answer:
In their reports, students should first compare passive intrusion detection to active intrusion detection. As
mentioned in the text, passive intrusion detection uses ways to detect and record intrusion attempts, but
does not take action on those attempts. Some examples of the activities monitored as provided in the text
include:
 Login attempts that have succeeded and failed
 Suspicious attempts to access accounts used by administrators
 Changes to files
 Changes to accounts
 Changes to security
 Changes to DNS services
 Successful and failed attempts to access files
 Files that are open under suspicious circumstances
 Unplanned system shut downs
 Unexpected communications adapter events or activities
 Services that are unexpectedly shut down
 Unusual or excessive e-mail traffic
 File quotas about to be exceeded
 Successful and failed network connections
 Network connections from suspicious locations
 Network probes
 Port scans
 Suspicious file transfers
 Suspicious network traffic
7
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 12-1: Passive and Active Intrusion Detection (Cont.)
Active intrusion detection uses event tracking and logs to provide alerts or to take specific actions against
an intrusion., such as blocking an intruder.
In discussing the pros and cons of active versus passive intrusion detection, students should note that
passive intrusion detection does not take any action against intruders, and so an inattentive system
administrator may never know an intrusion has taken place and nothing may be done. Passive intrusion
detection requires that the system administrator regularly review logs and records, and use filters and traps
to detect intrusions. On the positive side, it does not prevent legitimate users from accomplishing their
work.
A limitation of active intrusion detection is that it can go too far in preventing intrusions by also preventing
legitimate users from accomplishing their work. Thus, it must be configured carefully. It is an advantage,
though, in that a response to an intrusion can be faster than with passive intrusion.
Many organizations use a combination of active and passive intrusion detection for best coverage and
response.
Case Project 12-2: Using Decoys
The IT department director has heard about using decoys for security. He asks you to prepare a report that
explains a decoy and how a decoy might be used on Xtreme's network.
Answer:
A decoy or honeypot is a computer and operating system that is set up to be attractive for intruders and
attackers. Often it is a fully functional server operating system with dummy or useless data. Also, it may be
configured with little or no security so that it is an even more attractive target. The idea behind a decoy is to
draw attention away from servers and other computers that do contain important information. Also, a decoy
can be used to quickly identify an attacker so that preventive/blocking action can be taken before the
attacker targets other computers on the network.
On the Xtreme network, the company might consider setting up a DMZ and placing the decoy in the DMZ.
Next, they might use the decoy to identify attackers, so that they can configure a firewall to block these
users.
8
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 12-3: Using Windows Server 2003 and NetWare 6.0 Logs
The two administrators for the Windows Server 2003 and NetWare 6.0 servers have ignored using the audit
logs on these systems, because they have had only a few problems—which they've solved without using
logs. The IT director has instructed both administrators to check the logs regularly for security purposes. To
help the administrators get started, the IT director asks you to prepare written information about:
 Logs that are available on both systems
 Your recommendations about which logs to check most frequently
Answer:
Windows Server 2003 offers the following logs that were discussed in the text:
Log
Description
System log
Records information about system-related events such as hardware errors,
driver problems, and hard drive errors
Security log
Records access and security information about logon accesses, file, folder, and
system policy changes
Application log
Records information about how software applications are performing
Directory Service log
Records events that are associated with Active Directory, such as updates to
Active Directory, events related to the Active Directory’s database, replication
events, and startup and shutdown events
DNS Server log
Provides information about instances in which DNS information is updated,
when there are problems with the DNS service, and when the DNS Server has
started successfully after booting
File Replication log
Contains information about changes to file replication, when the file
Replication service has started, and completed replication tasks
NetWare 6.0 offers the following logs, as discussed in the text:
Log
Description
Access Log
Contains information about access services to the NetWare server
Audit Log
Contains an audit trial of user account activities
Console Log
Traces activities performed at the System Console, such as loading NLMs
Error Log
Contains error information recorded for the NetWare server
Module Log
Contains a listing of modules that have been loaded.
NFS Server Log
Provides information about NFS server services, including changes to the
service and communications through TCP and UDP
Schema Instructions Log
Tracks schema events, including changes to the schema
9
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 12-3: Using Windows Server 2003 and NetWare 6.0 Logs (Cont.)
Students may discuss different logs to monitor most frequently, and may provide the reasons for their
recommendations. A good place to start in Windows Server 2003 is to frequently monitor the System and
Security logs, because the System log provides a very complete listing of all types of events and the
Security log is intended for security monitoring, such as accesses to accounts and files. In NetWare 6.0, the
Console Log is valuable for verifying what actions have been taken on the server and the Access and Audit
Logs provide tracking of access activities.
Case Project 12-4: Monitoring Users in Red Hat Linux and Mac OS X
The research department director wants the Red Hat Linux 9.0 and Mac OS X users to regularly monitor
who is accessing their workstations. He asks you to prepare a training document that explains how to
monitor users on both systems.
Answer:
Both Red Hat Linux 9.0 and Mac OS X offer the ability to monitor users through the who command.
The steps in Red Hat Linux are:
1. Click Main Menu, point to System Tools, and click Terminal.
2. Type who -H or who -iH and press Enter.
3. Type who am i, and press Enter, if you want information about your own logon session.
4. Type exit, and press Enter to close the terminal window
The steps in Mac OS X are:
1. Click the Go menu.
2. Click Applications.
3. Double-click the Utilities folder.
4. Double-click Terminal.
5. Type who -H and press return.
6. Type who am i, and press return, if you want information about your own logon session.
7. Close the terminal window.
10
© 2004 Course Technology and Michael Palmer. All rights reserved.
Guide to Operating Systems Security
0-619-16040-3
Case Project 12-5: Monitoring a Possible Intruder
A network administrator has determined that a particular workstation user is frequently accessing one of the
Windows 2003 servers in what appears to be an unauthorized fashion. The IT director asks you to prepare a
document for the two Windows 2003 server administrators, outlining how to use Network Monitor to track
activity from this workstation. When you prepare this training document, cover the following:
 How to watch the activities of this workstation in the Session Statistics and Station Statistics panes
 How to create a filter to monitor the workstation's activities
 How to periodically use the capture summary information to trace the activities of this workstation
Answer:
Students should note that they can use the Session Statistics pane to track the network address or computer
name of the possible intruder. If Xtreme tracks NIC device addresses, this information can be used to locate
the intruder, or it can be used with other network monitor software or an SNMP network management
station to trace the IP address (more advanced students may note that there are ways to use IP protocols to
query the IP address). Also the Session Statistics pane can be used to correlate communications of the
suspected intruder with access to the server. In the Station Statistics pane, the computer name or device
address can be traced to watch traffic relating to frames, bytes, multicasts, and broadcasts.
To create a filter to monitor the workstation's activities:
1. Open Network Monitor.
2. Click the Edit Capture Filter button.
3. There may be a warning that this version of Network Monitor only captures data coming across
the local computer. Click OK.
4. Double-click SAP/ETYPE = Any SAP or Any ETYPE.
5. Click the Enable All button (or select to view only TCP and IP traffic).
6. Click OK.
7. Double-click (Address Pairs). For Station 1 select the station device address or computer name
you identified in the Session Statistics pane. For Station 2, select the server.
8. Click OK.
9. Click the Start Capture button on the button bar.
To view the capture summary data, click the Captured Data button. Click the Find button on the button bar
to view communication associated with the server or possible intruder’s IP address. Note that the capture
data summary does provide IP address information that can be correlated to the intruder.
11
© 2004 Course Technology and Michael Palmer. All rights reserved.