Have you discovered a hole in your Virtual Server 2005 security? This article will offer
some advice on proactive event log collection for Virtual Server 2005 so that if a security breach does occur, you will be able to collect more evidence on what actually happened. The previous article in this series taught you how to secure remote access to the Virtual Server 2005 host machine.
You will have a much easier time reconstructing a security breach if you have been monitoring and collecting the appropriate log information. In this case we are interested in information pertaining to Virtual Server 2005. Culling appropriate information from log files is tricky enough. If you do not have the appropriate information to begin with, it can be an exercise in frustration. Most of the information is logged by default. However, the security log in event viewer, in particular, is no good unless appropriate auditing is taking place before a breach.
To begin you will want to turn on the appropriate auditing for the security events. This can be done through the "local security policy" mmc snap-in, which can be found in "Administrative Tools - Local Security Policy. The figure below shows the settings that we are looking for.
[IMAGE]
At the very least, you will want to audit "Success and Failure" of "process tracking" and "object access." The reason will become apparent shortly. After you have set up the auditing policy, you will need to set up which folders you want to audit for "object access." You will probably want to audit the root directory where your virtual machines are stored along with the subfolders under that root directory and the root directory where Virtual Server 2005 is installed along with the subfolders under that root directory.
To set the auditing, right-click on the root folder in question and select properties. Click on the security tab. Click the Advanced button. Click on the Auditing tab and t
To continue reading for free, register below or login
To read more you must become a member of SearchServerVirtualization.com
hen click on the Add button. In the "enter object name to select" box, type "everyone" and then click ok. In the auditing entry window, click "Full Control" for both success and fail. Make sure that "Apply onto:" is set to "This folder, subfolders and files" and then click ok until you exit the folder properties dialogue. The final selection for auditing the folder will look similar to the figure below.
[IMAGE]
Now that the appropriate security auditing is set up, your Virtual Server 2005 Host Machine will be doing some extra logging. Without proper event log management, the most useful information in the event logs might be overwritten. You will probably want to archive the event logs from the Virtual Server 2005 Host Machine periodically so that you can safely clear the event logs.
While this could be accomplished manually, human error suggests that this kind of task will be forgotten at least once in a lifetime. There are many commercial products for aggregating and archiving event logs, however, on a limited budget, such luxuries are usually must be homebrewed by the creative system administrator.
Whenever I need to automate a task I usually turn to some form of scripting. The following script will backup the Virtual Server, Application, System, and Security event logs to a location on the system drive where the script is run. Then, the event logs will be cleared. To use this script the following items need to be in place. A folder named "c:\event_log_backups" and a text file named "servers.txt" with a list of servers to be backed up. The "servers.txt" file needs to be in the same directory where the script will run. These requirements can, of course, be changed to suit your preferences by editing the script. An example of the format of the "servers.txt" file is listed below.
hostname1
hostname2
hostname3
hostname4
The script is listed below.
Code
In the next article, Examining the compromised Virtual Server host, I will walk you through some steps that you might want to take before powering down a Virtual Server 2005 host for a security breach investigation.
About the author: Harley Stagner has been an IT professional for almost eight years. He has a wide range of knowledge in many areas of the IT field, including network design and administration, scripting and troubleshooting. Of particular interest to Harley is virtualization technology. He was the technical editor for Chris Wolf and Erick M. Halter's book Virtualization: From Desktop to the Enterprise and currently writes his own blog at www.harleystagner.com.
