Page 728 - StudyBook.pdf
P. 728

712    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery

             security. For example, while it is important to monitor logon attempts to see if
             someone is hacking a system, it may be unimportant to see if someone is success-
             fully printing to a network printer. Limiting auditing to significant items ensures
             that system performance is better and analysis of logged events becomes easier.



              NOTE
                  To review auditing in a Windows environment, see the “Configuring
                  Auditing in Windows XP” exercise (Exercise 1.03) in Chapter 1.





             Privilege

             Audits can be used to monitor privileges to resources and data, and to reveal incor-
             rect security settings.

                  ■   Reviewing the successes and failures of accounts accessing files, auditing
                      allows administrators to determine if incorrect permissions have been set
                      for accessing files on a network.

                  ■   Monitoring the success and failure of accessing other resources (such as
                      printers) can show whether improper permissions have been set.
                  ■   Auditing successful changes to accounts, restarts, and shutdowns of sys-
                      tems, and the ability to perform other actions, can show if certain users
                      have more access than they need.
                 The final item in this list can be a major problem, as users who should not have
             certain access are able to do such things as delete or modify data, make incorrect
             system changes, shut down vital systems, or perform other unauthorized tasks.
             Once incorrect privileges have been identified, an administrator can make the nec-
             essary changes to allow access to authorized users and forbid access to unautho-
             rized users. Not monitoring such events makes it possible for such activities to go
             unnoticed.
                 Another issue with monitoring privileges involves the detection of viruses. If an
             account that has Write permissions to a file is unable to modify the file, or an
             account that does not have write privileges is suddenly able to modify the file, it
             could mean a virus has infected the system. Scanning the system for viruses may
             solve this problem immediately.





          www.syngress.com
   723   724   725   726   727   728   729   730   731   732   733