Category Archives: File Integrity

Verify Permissions on files (Windows)

Objective

  • Changes to the permissions on files could block security settings from being applied.
  • Changes to the permissions on files could leak sensitive information.
  • Changes to the permissions on files could¬†lead to a system compromise.
  • Audit files.

Manual audit with powershell

View the permission on the application log file with powershell

get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx" | fl
Path : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx
Owner : NT AUTHORITY\LOCAL SERVICE
Group : NT AUTHORITY\LOCAL SERVICE
Access : NT SERVICE\EventLog Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
Audit :
Sddl : O:LSG:LSD:AI(A;ID;FA;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)(A;ID;FA;;;SY)(A;ID;FA;;;
BA)

Audit with Nessus auditfile

<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
 
<file_acl: "ACL_WINEVT_LOGS_application.evtx">
<user: "Administrators">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
 
<user: "System">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
 
<user: "EventLog">
acl_inheritance: "inherited"
acl_apply: "this object only"
acl_allow: "full control"
</user>
</acl>
 
<custom_item>
type: FILE_PERMISSIONS
description: "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type: FILE_ACL
value_data: "ACL_WINEVT_LOGS_application.evtx"
file: "C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx"
</custom_item>
 
</group_policy>
</check_type>

Error

Running this auditfile with this specific file results into an error because the file has a file lock.

Windows Compliance Checks, version 1.263
 
Which file contains your security policy : SMB login : stty: 'standard input': Inappropriate ioctl for device
SMB password : stty: 'standard input': Inappropriate ioctl for device
 
SMB domain (optional) : "Audit for %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx": [ERROR]
 
FILE_ERROR_FILE_CREATE: the file could not be opened. It could not be found or permissions were insufficient
 
file: C:\Windows\SYSTEM32\WINEVT\LOGS\application.evtx

Alternative approach

We can use the powershell command-let get-acl to perform the audit.
We run the command and filter out the known good values.

get-acl "C:\Windows\SYSTEM32\WINEVT\LOGS\setup.evtx" | select -ExpandProperty access | select IdentityReference,
FileSystemRights | Where {$_.IdentityReference -ne "NT SERVICE\EventLog" -and $_.IdentityReference -ne "NT AUTHORITY\S
YSTEM" -and $_.IdentityReference -ne "BUILTIN\Administrators" }

New Nessus Auditfile Check

<check_type: "Windows" version:"2">
<group_policy: "MS Windows Server">
 
<custom_item>
type : AUDIT_POWERSHELL
description : "Audit file permissions om %SystemRoot%\SYSTEM32\WINEVT\LOGS\application.evtx"
value_type : POLICY_TEXT
value_data : ""
powershell_args : 'get-acl \\"C:\\Windows\\SYSTEM32\\WINEVT\\LOGS\\setup.evtx\\" | select -ExpandProperty access | select IdentityReference, FileSystemRights | Where {$_.IdentityReference -ne \\"NT SERVICE\\EventLog\\" -and $_.IdentityReference -ne \\"NT AUTHORITY\\SYSTEM\\" -and $_.IdentityReference -ne \\"BUILTIN\\Administrators\\" }'
check_type : CHECK_EQUAL
powershell_option : CAN_BE_NULL
</custom_item>
 
</group_policy>
</check_type>

References

  • V-63533 – Permissions for the Application event log must prevent access by non-privileged accounts.
  • V-63537 –¬†Permissions for the Security event log must prevent access by non-privileged accounts.
  • V-63541 –¬†Permissions for the System event log must prevent access by non-privileged accounts

Check Windows File Integrity with sfc and powershell

Objective

Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) have not been altered.
Critical Security Control #3: Secure Configurations for Hardware and Software – System 3.5

SFC and Powershell

Windows contains a build-in utility called sfc to verify and fix Windows File Integrity issues.
Lets have a quick look what this utility and some powershell can do for us.
The flags differ on older versions of Windows so check it’s options before running the commands below.

Continue reading