Security countermeasure
「WEEDS Windows-Trace+Guardian Option」
「We worry about information leaked from external medium like USB memory etc.」
「I would like to detterence auditing server cruft operation.」
「I would like to audit access file server which has notable file.」
「We grasp all of Windows OS operation, and would like to block information leaked route.」
There are companies which have a trouble such things under countermeasure security strengthed today.
Because there are many products acquiring Windows operation record in the world, so that they have trouble searching a production meeting their company needs.
And, companies which install tool aquiring Windows operation log in past
「We have a trouble, because operation not acquiring in case of Windows existing(EVT).」
「Because that too many log acquired, I don't know how to audit.」
「Setting detterence USB memory is awake by altering value resistory easily.」
seems to have such problems. WEEDS Windows-Trace+Guardian Option can solve them.
What is WEEDS Windows-Trace+Guardian Option
Acquiring Windows operation log「WEEDS Windows-Trace」
WEEDS Windows-Trace acquires Windows OS(Client PC),GUI operation, CUI operation(command prompt)by each server , and restore encrypting in log repository DataBase.
Logs acquired by WEEDS Windows-Trace,(normally)are transformatted log repository server every 3 minutes loaded to log DataBase. On a log-repository server, WEEDS Log-Repository Managerb manages logs and generat audit report, log maintenance (scheduled avoiding,backiping,restoring). WEEDS Windows-Trace log which once outputted on an intended audit Windows machine, (normally) prompt deleted after transfer on a log-repository-server and deal with no- burden intended audit.
Detterence Windows operation 「Guardian Option」
Guardian Option is a function detterence previously setting behavior.
For example,
External medium : Write is impossible, Read is possible
External medium : Write from some specific program is possible, Others Write and Read are impossible.
Program : Detterence Winny activation
Security under Windows is strengthed by such variable detterence setting
Detterence method of WEEDS Windows-Trace+Guardian Option work by 「Not let Windows OS kernel dispose.」.
So that, it is impossible that user awake, because of not altering setting resistory.
Sufficient audit report
It is innecessary not only restoring operation record. Detterence effect on a user works and auditing unlawful computer access by daily and monthly audit.
Eye-friendly report is indispensable. WEEDS Windows-Trace has daily detailed operation report, monthly accounting report,and utilization analysis report which search freely a log-server.
So that, audit operation will start by report previously prepared.
Items acquiring log
As following sentences, it shows items and types acquiring log on WEEDS Windows-Trace
| Items acquiring log | |
|---|---|
| Day and time of log-in | Day and time of operation |
| Day and time of log-off | Operation application |
| Log-in ID | Imput file drive,pass,the name of file |
| Operation(※Refer operatioin type chart) | Output file drive, Pass, the name of file |
| Operation type(※) | |
|---|---|
| operation application activation | Detterence creating external device directory |
| operation application | Detterence deleting external device directory |
| Log-in failure | File open failure |
| File open | Copy file failure |
| File creating(named error) | File transfer failure |
| New file created | File deleted failure |
| File created(if open ) | Directory created failure |
| File deleted | Directory deleted failure |
| Copy file | Application activation |
| File transfer | Program activation from operation APPL |
| File drag &drop | Program abort from operation APPL |
| Dirrectory created | Window created |
| Directory deleted | under Window operation |
| Accessing directory | Window exit |
| Accessing file | Setting focus Child Window |
| New file created | Setting focus Parent Window |
| Open by binary | Focus transfer |
| Detterence external device file open | URL asked |
| Detterence external device file copy | Utilization printer |
| Detterence external device file transfer | Starting copy |
| Detterence external device file delete | |
WEEDS Windows-Trace mechanism
System department or SIers who install information system to customers seem to concern mechanism, operation and perfomance when installing security products.
Following informs product mechanism for everyone who is in charge of such information system.
Please exploit it for comparision and installing product.
Acquiring log, detterence operation methods(GUI operation)
WEEDS Windows-Trace hook Kernel32 and acquire log for acquiring all operations.
All operatioins pass and it will be feature acquiring log.
CUI operation (command prompt)
For acquiring operation log of command prompt, WEEDS Windows-Trace installs function hooking Shell separately.
This function acquires “command”“parameter”“the result of command”. So that it acquires “normal entry”and“normal output”under command prompt.
Technical point acquiring log and detterence operation
Event log(EVT)make clear operation?
There are product which deal in event log as Windows operation log and if engineer who has a little knowledge of Windows develops tool which outputs file as a log separately.
However, we wonder event-log Windows outputting in existence takes a role as an operation record.
WEEDS corporation judges that it can't take a role and unutilize it.
The main reason is that creating files/copying/altering name,altering file(clobbering /updating),
and event-log [process ID] and [handle ID] is reutilized specific. It increases likelihood of overwriting in case of generating by the gross, and no-record of [client user name] and [client domain name] which judge who access what file (ID560) depending on some event log.
Please refer to the following site, for more information.
http://technet.microsoft.com/ja-jp/solutionaccelerators/dd285678.aspx
Is controlling Windows operation thaossible by “Agent less"?
At first, it is impossible that detterence operation without agent (gent less) acquiring logs.
And, in case of agentless, OS existing log(event-log etc.), and acquire operation log only by exploit network packet.
Points not acquiring operation log by event log already explained.
It is also difficult acquiring operation log by network packet. The reason not generating network packet until communicating external.
Controlling Windows operation by agentless is abundantly difficulty. It is not setting which is difficult for not well-known Windows engineer, it is not surveyed easily.
WEEDS Windows-Trace fulfills acquiring loogs and deterent operation by method hooking kernel and has an architecture not awaking deterent operration.
Explanation the method cntrolling USB device by repository.
1.Log-in by authorized manage user
2.To select「Run」from the Start menu.
3.To input「regedit」and click「OK」
4.When activating repository editor,
trace「HKEY_LOCAL_MACHINE→SYSTEM→CurrentControlSet→Control」
5.To confirm key of「StorageDevicePolicies」under「Control」
6.If not confirming, click the right mouse button「Control」and select 「New」-「Key」,
create 「StorageDevicePolicies」newely.
7.To click the right mouse button「StorageDevicePolicies」, select「new」−「DWORD volume」
create DWORD volume reprresenting「WriteProtect」.
8.To double click it,input half-width「1」「Value data」and click「OK」.
Caution:OS postulates Windows XP SP2
Operation log of command prompt is also critical
On Windows server,it seems to operate on command prompt.
In case of this, to acquire and audit operation on command prompt(command, parameter)is critical.
Product specification
| Introduction effect | Internal control(Corresponding to IT general control), Corresponding to regulatory agency, corresponding to law protecting personal information, corresponding to internal system audit, P-Mark, Corresponding to ISMS |
|
| Agent Module | Corresponding OS | Windows98、Windows2000、WindowsXP、Windows Vista、Windows7 ※Please refer WEEDS WinServer-Trace, for server information. |
| Load | Agent activation takes a few minutes when log-in. No sensory load operating | |
| Memory | Average 8MB.(Transfer by the number of screen) | |
| Log | Log Items acquiring | Mentioned above |
| Encryption | Generating acess log with unique encryption | |
| Transfer | By every 3minutes and time of log-in/log-off | |
| The number of logs | 5kb/operation,5MB/day(By 1 product. OS having many operations case.) | |
| Licence system | Server/Client(OS)OS | |
| Price | Open(difference depend on server version or client version.) | |
.jpg)
.jpg)