site security: how can I audit what user or machine process has altered a file?

Discussion in 'ASP .Net' started by Ken Fine, Feb 22, 2008.

  1. Ken Fine

    Ken Fine Guest

    I'm having a periodic issue on one of my sites with defacement: people are
    using some process or exploit to replace/deface pages. I want to know how
    exactly they are doing this, and what process or user is doing this. How can
    I best audit what user or machine process has altered a particular file, or
    set up a log on that file for the future? Beyond basic server security, any
    pointers for common strategies to hinder this sort of defacement?

    I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control the
    server entirely.

    Thanks,
    -KF
    Ken Fine, Feb 22, 2008
    #1
    1. Advertising

  2. "Ken Fine" <> wrote in message
    news:...

    > I want to know how exactly they are doing this


    What's the URL...?


    --
    Mark Rae
    ASP.NET MVP
    http://www.markrae.net
    Mark Rae [MVP], Feb 22, 2008
    #2
    1. Advertising

  3. Ken Fine

    Steven Cheng Guest

    Hi KF,

    Do you mean your webserver machine is suffering some attacks recently? For
    file altering, it could be done from both internal network or external. For
    internal, you may need to restrict more on the file access of that machine.
    For external, it is more likely that some external users has gain some
    level of access permissions on your machine. Normally, you may first check
    the IIS webserver security(such as install all the lastest patch and apply
    some good practices):

    #Installing and Securing IIS Servers (Part 1)
    http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1
    .html

    #Tech Tip: Take these steps to secure your IIS Web server
    http://articles.techrepublic.com.com/5100-6350_11-5287646.html

    #IIS Security Checklist
    http://www.washington.edu/computing/support/windows/UWdomains/IISsecchecklis
    t.html

    Sure, there are also some information about building secured ASP.NET
    application:

    #Building Secure ASP .NET Applications .pdf Download
    http://www.microsoft.com/downloads/details.aspx?FamilyID=055FF772-97FE-41B8-
    A58C-BF9C6593F25E&displaylang=en

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    ==================================================

    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications.



    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.

    ==================================================


    This posting is provided "AS IS" with no warranties, and confers no rights.





    --------------------
    >From: "Ken Fine" <>
    >Subject: site security: how can I audit what user or machine process has

    altered a file?
    >Date: Fri, 22 Feb 2008 13:27:12 -0800
    >
    >
    >I'm having a periodic issue on one of my sites with defacement: people are
    >using some process or exploit to replace/deface pages. I want to know how
    >exactly they are doing this, and what process or user is doing this. How

    can
    >I best audit what user or machine process has altered a particular file,

    or
    >set up a log on that file for the future? Beyond basic server security,

    any
    >pointers for common strategies to hinder this sort of defacement?
    >
    >I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control

    the
    >server entirely.
    >
    >Thanks,
    >-KF
    >
    >
    Steven Cheng, Feb 25, 2008
    #3
  4. Ken Fine

    Ken Fine Guest

    Thanks. I'm still curious if there is a way to log what process or user
    altered a particular file, so I can figure out exactly where the attack is
    coming from. Do you know a way to do that?

    Thanks,
    -KF

    ""Steven Cheng"" <> wrote in message
    news:...
    > Hi KF,
    >
    > Do you mean your webserver machine is suffering some attacks recently? For
    > file altering, it could be done from both internal network or external.
    > For
    > internal, you may need to restrict more on the file access of that
    > machine.
    > For external, it is more likely that some external users has gain some
    > level of access permissions on your machine. Normally, you may first check
    > the IIS webserver security(such as install all the lastest patch and apply
    > some good practices):
    >
    > #Installing and Securing IIS Servers (Part 1)
    > http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1
    > html
    >
    > #Tech Tip: Take these steps to secure your IIS Web server
    > http://articles.techrepublic.com.com/5100-6350_11-5287646.html
    >
    > #IIS Security Checklist
    > http://www.washington.edu/computing/support/windows/UWdomains/IISsecchecklis
    > t.html
    >
    > Sure, there are also some information about building secured ASP.NET
    > application:
    >
    > #Building Secure ASP .NET Applications .pdf Download
    > http://www.microsoft.com/downloads/details.aspx?FamilyID=055FF772-97FE-41B8-
    > A58C-BF9C6593F25E&displaylang=en
    >
    > Sincerely,
    >
    > Steven Cheng
    >
    > Microsoft MSDN Online Support Lead
    >
    >
    >
    > ==================================================
    >
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications.
    >
    >
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >
    > ==================================================
    >
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
    >
    >
    >
    >
    > --------------------
    >>From: "Ken Fine" <>
    >>Subject: site security: how can I audit what user or machine process has

    > altered a file?
    >>Date: Fri, 22 Feb 2008 13:27:12 -0800
    >>
    >>
    >>I'm having a periodic issue on one of my sites with defacement: people are
    >>using some process or exploit to replace/deface pages. I want to know how
    >>exactly they are doing this, and what process or user is doing this. How

    > can
    >>I best audit what user or machine process has altered a particular file,

    > or
    >>set up a log on that file for the future? Beyond basic server security,

    > any
    >>pointers for common strategies to hinder this sort of defacement?
    >>
    >>I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control

    > the
    >>server entirely.
    >>
    >>Thanks,
    >>-KF
    >>
    >>

    >
    Ken Fine, Feb 25, 2008
    #4
  5. Ken Fine

    Steven Cheng Guest

    Hi KF,

    For file system access monitor, so far I what I can get is the windows's
    own system audit feature:

    #Threats and Countermeasures
    http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch0
    3n.mspx

    However, it is not recording both the account and process, only account
    info may get recorded.

    You may also look for some other file system monitor tools, one is the
    sysinternals filemon:

    #FileMon for Windows v7.04
    http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx

    and some other 3rd party ones:

    #Auditing File System Events
    http://dl.scriptlogic.com/landing/file-system-auditor/auditing-file-system-e
    vents.aspx?engine=adwords!9443&keyword=(windows%20audit)&match_type=&gclid=C
    L-U7Ybu4JECFQoXewodZiq3Sw

    http://www.filedudes.com/files/File_System_Monitor.html

    Sincerely,

    Steven Cheng

    Microsoft MSDN Online Support Lead



    This posting is provided "AS IS" with no warranties, and confers no rights.



    --------------------
    >From: "Ken Fine" <>
    >References: <>

    <>
    >In-Reply-To: <>
    >Subject: Re: site security: how can I audit what user or machine process

    has altered a file?
    >Date: Mon, 25 Feb 2008 08:58:01 -0800


    >
    >Thanks. I'm still curious if there is a way to log what process or user
    >altered a particular file, so I can figure out exactly where the attack is
    >coming from. Do you know a way to do that?
    >
    >Thanks,
    >-KF
    >
    >""Steven Cheng"" <> wrote in message
    >news:...
    >> Hi KF,
    >>
    >> Do you mean your webserver machine is suffering some attacks recently?

    For
    >> file altering, it could be done from both internal network or external.
    >> For
    >> internal, you may need to restrict more on the file access of that
    >> machine.
    >> For external, it is more likely that some external users has gain some
    >> level of access permissions on your machine. Normally, you may first

    check
    >> the IIS webserver security(such as install all the lastest patch and

    apply
    >> some good practices):
    >>
    >> #Installing and Securing IIS Servers (Part 1)
    >>

    http://www.windowsecurity.com/articles/Installing_Securing_IIS_Servers_Part1
    >> html
    >>
    >> #Tech Tip: Take these steps to secure your IIS Web server
    >> http://articles.techrepublic.com.com/5100-6350_11-5287646.html
    >>
    >> #IIS Security Checklist
    >>

    http://www.washington.edu/computing/support/windows/UWdomains/IISsecchecklis
    >> t.html
    >>
    >> Sure, there are also some information about building secured ASP.NET
    >> application:
    >>
    >> #Building Secure ASP .NET Applications .pdf Download
    >>

    http://www.microsoft.com/downloads/details.aspx?FamilyID=055FF772-97FE-41B8-
    >> A58C-BF9C6593F25E&displaylang=en
    >>
    >> Sincerely,
    >>
    >> Steven Cheng
    >>
    >> Microsoft MSDN Online Support Lead
    >>
    >>
    >>
    >> ==================================================
    >>
    >> Get notification to my posts through email? Please refer to
    >>

    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    >> ications.
    >>
    >>
    >>
    >> Note: The MSDN Managed Newsgroup support offering is for non-urgent

    issues
    >> where an initial response from the community or a Microsoft Support
    >> Engineer within 1 business day is acceptable. Please note that each

    follow
    >> up response may take approximately 2 business days as the support
    >> professional working with you may need further investigation to reach the
    >> most efficient resolution. The offering is not appropriate for situations
    >> that require urgent, real-time or phone-based interactions or complex
    >> project analysis and dump analysis issues. Issues of this nature are best
    >> handled working with a dedicated Microsoft Support Engineer by contacting
    >> Microsoft Customer Support Services (CSS) at
    >> http://msdn.microsoft.com/subscriptions/support/default.aspx.
    >>
    >> ==================================================
    >>
    >>
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >>
    >>
    >>
    >>
    >>
    >> --------------------
    >>>From: "Ken Fine" <>
    >>>Subject: site security: how can I audit what user or machine process has

    >> altered a file?
    >>>Date: Fri, 22 Feb 2008 13:27:12 -0800
    >>>
    >>>
    >>>I'm having a periodic issue on one of my sites with defacement: people

    are
    >>>using some process or exploit to replace/deface pages. I want to know how
    >>>exactly they are doing this, and what process or user is doing this. How

    >> can
    >>>I best audit what user or machine process has altered a particular file,

    >> or
    >>>set up a log on that file for the future? Beyond basic server security,

    >> any
    >>>pointers for common strategies to hinder this sort of defacement?
    >>>
    >>>I'm using Windows Server 2003, ASP.NET, PHP, and classic ASP. I control

    >> the
    >>>server entirely.
    >>>
    >>>Thanks,
    >>>-KF
    >>>
    >>>

    >>

    >
    >
    Steven Cheng, Feb 26, 2008
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Christian Döring

    Can the Profile data be altered by the client?

    Christian Döring, Apr 20, 2006, in forum: ASP .Net
    Replies:
    2
    Views:
    301
    Christian Döring
    Apr 20, 2006
  2. Henry van der Beek

    Perform operation whenever dir is altered

    Henry van der Beek, Jul 5, 2004, in forum: Python
    Replies:
    1
    Views:
    461
    John Lenton
    Jul 5, 2004
  3. Replies:
    8
    Views:
    481
    Toby Inkster
    Aug 7, 2006
  4. PerOK
    Replies:
    2
    Views:
    1,410
    Per Olav Kroka
    Jan 8, 2009
  5. MattC

    Security and Audit functionality

    MattC, May 25, 2004, in forum: ASP .Net Security
    Replies:
    6
    Views:
    186
    Raymond Lewallen
    May 26, 2004
Loading...

Share This Page