Navigation: General >
Secure EventSentry Setup
|
Navigation: General > Secure EventSentry Setup |
|
|
While it is always recommended and desirable to setup any type of software in a secure manner, ensuring that your EventSentry environment is setup securely can be particularly crucial when using EventSentry to help comply with regulatory compliance such as Sarbanes Oxley, HIPAA or others.
Follow the steps in this chapter to ensure your EventSentry setup is as secure as possible.
1. Database Security If you are consolidating events into a central database, then you will need to make sure that nobody can gain unauthorized access to your database. If somebody can get administrative access to your SQL database, then the intruder has the ability to compromise your data integrity by deleting or modify data.
EventSentry Agents The EventSentry agents are designed to only use the eventsentry_svc login to access the database, primarily to add data to the database. This login is created when you install EventSentry with the setup (MSSQL and MySQL only) or when you run the Database Setup Wizard.
The eventsentry_svc user is only allowed minimum access to the objects (tables, columns) in the EventSentry database, for example this user cannot retrieve stored event log records from the database. As such, even if the password were to be compromised, the intruder would still not be able to retrieve useful information from the EventSentry database.
The password for the eventsentry_svc user is stored in the registry, but only members of the local Administrators group have permission to access the EventSentry configuration in the registry.
EventSentry Web Reports The EventSentry Web Reports use the eventsentry_web user to access the database, which has a different set of permissions in the EventSentry database than the eventsentry_svc user. The eventsentry_web login is created when you install EventSentry with the setup (MSSQL and MySQL only) or when you run the Database Setup Wizard.
The eventsentry_web user is only allowed minimum access to the objects (tables, columns) in the EventSentry database, for example this user cannot add or delete event log records from the database. As such, even if the password were to be compromised, the intruder would still not be able to modify or delete records from the EventSentry database, though it could be used to retrieve data.
The password of the eventsentry_web user is stored in the configuration file of the web reports, the WebReportsConfig.xml file which by default is located in the installation folder of EventSentry (e.g. C:\Program Files\EventSentry).
Encryption If the EventSentry agents are transmitting event log data over an insecure medium, then we recommend that you use a Microsoft SQL Server database (2000 or 2005) that allows you to encrypt SQL communication between the client (any EventSentry agent) and the database server. See Encrypting Network Traffic with MSSQL for more information.
2. EventSentry Agents Even though the EventSentry agents have little attack surface and no security vulnerabilities have been discovered with the EventSentry agents in the past, it might be desirable to modify the account the EventSentry service is running under.
By default, the EventSentry service runs under the LocalSystem account, which gives the EventSentry agent nearly unlimited access to most system resources on the local machine. This is necessary since a regular user, for example, does not have enough permissions to read the security event log or read performance data.
If you are running Windows 2000 or higher, then you can manually change the account the agent is running under by following these steps below:
Create User Account 1. Create a new regular domain user account in your domain, e.g. "EventSentry". It is recommended that you specify in the user account description that this account is used by the EventSentry agents.
Give Permissions for EventSentry Configuration 2a. Windows 2000: Open the registry editor regedt32.exe and select the key HKLM\Software\netikus.net\EventSentry. Then, select Security -> Permissions from the menu and add the newly created user account to the list with Full permissions. 2b. Windows 2003, XP: Open the registry editor regedit.exe and select the key HKLM\Software\netikus.net\EventSentry. Then, right-click the key and select Permissions from the menu and add the newly created user account to the list with Full permissions. 3. If you plan on using debug logging, then the newly added user also needs write access to the %SYSTEMROOT% directory so that the debug log files which reside in this directory can be created and updated.
Give Permissions for Security Event Log 4. Open the Domain Security Policy (Start -> Programs -> Administrative Tools) and navigate to Security Settings -> Local Policies -> User Rights Assignment. 5. Add the newly added user to Log on as a service. 6. Add the newly added user to Manage auditing and security log.
Give Permissions for Performance Monitoring 7a. Windows 2000: Open the registry editor regedt32.exe and select the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib. Then, select Security -> Permissions from the menu and add the newly created user account to the list with Read permissions. 7b. Windows 2003, XP: Open the registry editor regedit.exe and select the key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib. Then, right-click the key and select Permissions from the menu and add the newly created user account to the list with Read permissions.
Change Service 8. Open the Services application (Start -> Programs -> Administrative Tools) and locate the EventSentry service. Double-click the service and select the Log On tab. 9. Select "This account" and specify the new user account for the service. 10. You will have repeat steps 5-6 on all computers running the EventSentry agent.
|
