Post Reply 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Protect ossec hids from being removed
06-18-2017, 02:45 PM
Post: #1
Protect ossec hids from being removed

This question was on my mind for a while. How can I protect a file integrity monitor agent (OSSEC hids) from being removed by a malicious intruder that may have gained local system privileges to the machine? It seems to be, that if anyone gained administrative privileges they can easily delete all files.

Is there a way I can protect such an agent from being deleted on Windows 7 and Windows 10 machines? I've noticed, for example, commercial agents of AV products protect the agents from being uninstalled using something like a key. Can something similar be implemented?

Find all posts by this user
Quote this message in a reply
07-21-2017, 12:36 AM
Post: #2
RE: Protect ossec hids from being removed
You seem to be mixing up local system privileges and admin user privileges. They're not the same: LocalSystem is a very special user on a Windows system. I'm assuming you are referring to admin rights only.

In which case, the answer is 'Yes'. But there's nothing you can do about that, short of write-protecting the drive the files are stored on.

The mechanism is, of course, by taking ownership of the files to be deleted, and then deleting them. Any Windows admin user can do that, but can't do it without leaving traces. So ... while the files would be gone, the user would be possible to identify from the security log.

If that user also has the rights to clean out security log, the relevant logs can be deleted. That's one of the reasons why the security log should not be under system admin user control.

A well-configured Windows system leaves administrators as little freedom as necessary, and may allow an admin user 'plausible deniability' (i.e. an admin can deny having read sensitive information). This was an early design decision in Windows. Old UNIX root users could not do so -- though they may now be able to with SELinux.

All file access in Windows is controlled by normal access control. Which means that administrators can be prevented access by those same controls. There are only two special exceptions to those rules:

1. A file owner can always get access to the file, even if he has configured access to lock himself out. It's not necessarily easy, or neat, but it can be done.

2. An admin user can always take ownership of any file, but not without leaving traces. (And this is why an admin user can delete anything.)

These exceptions are hard-coded into Windows: you can't change them.

You may be asking about recommendations for how to configure things: that I leave to someone who knows your particular setup in detail. But you start from a thorough knowledge of Windows security setup and access control entries.

It's like configuring a router or a firewall. If you're not careful, you lock yourself out from the router (say, start by 'DENY ALL' ...), and have to jump through all kinds of hoops in order to get back to the starting line. Actually, fooling around on your own is not recommended unless you do it on a lab VM, where you can fall back on a snapshot of a non-bricked state.

There's lot of info related to your question. You will find it in Windows sysadmin forums or reference literature, though.

Caveat: It's many years since I did my time as Windows Admin. Things might have changed since then, though I would expect these things to stay fairly much as they are.

Suggestions for a friendly, easy to navigate forum
Find all posts by this user
Quote this message in a reply
Post Reply 

Forum Jump:

User(s) browsing this thread: 1 Guest(s)