Auditing Security principles

 Top  Previous  Next

As we discussed in section 3 (Basic Auditing Concepts) there are two basic ways that we can audit equipment automatically: we can use machine auditing agents (like EntAudit.exe) or we can use network auditing agents (like ENT NetCenter and ENT Network Monitor).

 

In terms of security, network auditing agents will certainly increase the risk profile of the network in general. Whether this increase in risk is significant or not depends on your particular network.

 

The reason network auditing agents are necessarily less secure than machine auditing agents is because Windows PCs that you want to audit remotely must provide WMI access to at least one other machine on the network (namely, the machine that is performing the remote auditing).

 

Accepting administrative traffic from only one machine probably doesn't constitute what most companies would call a security risk (it's pretty tight in fact). However, if you want to perform remote network audits from multiple PCs (perhaps you have multiple technicians with ENT NetCenter installed), then in practical terms you will have to configure an exception in the Windows firewall of any Windows XP/2003 machines to allow administrative traffic from all sources on the local subnet. This means that machines on the local subnet must accept requests on port 135, from other machines on the local subnet.

 

WMI itself has a security layer built in so even if you open these ports, only administrators will generally have access to the system information that you can access via WMI. However, since WMI operates on top of the RPC transport layer, there's no saying what other RPC traffic may or may not be allowed to pass in and out of the firewall on those remote machines if they have other pieces of software on them that respond to RPC calls.

 

Whether worrying about RPC calls from within your local subnet is simply paranoia or whether it presents a genuine threat to security is somewhat arguable and will probably depend on your particular network. Companies that may often have random people floating around on their network with their own notebooks (people who they don't trust), may simply choose to block RPC traffic entirely, as a matter of policy. Additionally, some companies block RPC ports to prevent the proliferation of viruses and worms that take advantages of weaknesses in insecure applications that use this protocol. At the end of the day, this is really your call and you'd have to know a bit about security attacks involving the RPC protocol to be able to make an informed decision about this.

 

Machine auditing agents, of course, do not require any WMI or RPC traffic to be passed across the network, since they perform the PC Audit locally. Using machine auditing agents, network communication may not be required at all and if it is required then it will not take place until at least the post-back phase, which utilizes either SMTP or HTTP. So if RPC traffic is a concern to you then machine auditing agents definitely provide a more secure solution.

 

One disadvantage of machine auditing agents, of course, is that they're generally more effort to deploy and maintain. Perhaps a middle ground between these two solutions (machine and network auditing agents), which addresses security concerns, would be to use EntAudit.exe to audit machines locally and then use ENT Network Monitor to automatically collect these audit snapshots and post them to your ENT Server.

 

Using this solution we would not need to configure any exceptions on firewalls or enable WMI/RPC traffic on the network, and we would achieve a degree of automation with respect to the audit process itself – making the auditing solution somewhat easier to manage.

 

About the only other disadvantage of machine auditing agents is that they don't generally make any noise when a machine goes missing from the network entirely – so if the physical security of the computers on your network is at risk then there is also something to be said for network auditing. Without using a network auditing agent, the only indication that you have of whether a machine is still physically present on the network or not is the date and time that the machine was last audited. This is recorded by ENT Server when it processes an audit snapshot, so you could generate reports or configure alerts for machines that haven't been audited within a certain timeframe if you were worried about machines physically disappearing and you wanted to use machine auditing agents.