Article created 2003-05-12 by
Creating a hardened log host
A hardened log host is a system that is especially
configured to prevent malicious users from modifying any log data stored inside
it. A hardened log host is especially useful if tampering with log data is to
be avoided. Setting up a proper hardened host can definitely help if evidence
for crime investigation is needed.
It is beyond the scope of this document to describe all steps necessary to set
up a fully hardened log host that can be used in forensic log analysis – but
this guide should be a good starting point.
Please note that this Step-By-Step guide does not go into the same detail as
most of the others. Most importantly, screen shots are more or less missing. We
highly recommend checking with other security sources as well as your local
authorities as security needs change quickly. We are focussing on Windows 2000
in this guide, as it at the time of this writing is the most common platform
for creating a secure central log server with Adiscon products.
If you have a Windows 2000 machine installed with the default setup, there are
a number of essential steps to do before moving it into production:
Ensure physical security of the machine. A malicious person with physical
access to the machine can overcome any software limitation!
Uninstall Internet Information Server (IIS) – there are many issues associated
with IIS and it will definitely introduce a security weakness when left on the
machine. Make sure you uninstall it – it is installed by default.
For the same reason, do not install any other web server – there are too many
vulnerabilities in all products and the HTTP protocol itself (this is not a
popular opinion but one proved in reality).
Rename your "Administrator" account. Give it a name that is not related to
administrative functions. "Admin", "Supervisor" or "root" would be bad names –
"Tom" or "Jerry" would be good ones. Take a note of the new admin account name!
Be sure to use a strong password for the administrator account – one with at
least 8 characters and consisting of numeric, alphabetic and special
Create a backup administrator account with a good name and password – as above.
Be sure to store the name and password in a safe. We too often have seen highly
secured system looking out their legal owners – be sure to have a backup!
Be sure to apply the latest service pack (even though you might not like it on
other machines) and the latest security patches. A good place to check for new
patches is www.microsoft.com/security.
Do not rely on Windows Update solely (it has been seen to miss patches).
Also, be sure to install patches in the order they have been released!
It has been seen that older patches overwrite part of
newer patches if installed in any other order.
Stop and uninstall all services that need not to be present on the machine. For
a highly secure system, be sure to remove the bindings for the file server.
Follow the basic guideline: "as few services as possible".
Either via the firewall and/or via Windows IP filters, block all traffic to and
from the machine. Open up only the ports that you definitely need (that is
514/UDP for syslog and 5432/TCP for SETP).
Double-check that terminal services and telnet are not available on the
Make a full backup of the system, including the emergency repair disk. Make
sure all disks are protected by fault tolerance, that is either RAID 5 or disk
mirroring. Ensure that a proper backup procedure is in place.
Check with your legal advisor if physically read-only media is required for
storing your log files. If so, ensure that files are periodically written to
CD-R or a similar media (do not use CD-RW or any other rewritable media!).